Issues and Challenges in Mobile Security

(1)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 2, Issue 12, December 2012)

524

Issues and Challenges in Mobile Security

1

R Santha kumar, 2Dr. K. Kaliyaperumal 1

Research Scholar, M.S. University, Tirunelveli

2

Librarian, University of Madras, Chennai

Abstract - Wireless networking technology is quickly changing the way networked computers communicate. The convenience offered by the ability to connect to networks using mobile computing devices has also introduced many security issues that do not exist in the wired world. Ubiquitous use of mobile phones has caused an emergence of applications targeted to mobile platforms. Since mobile devices become the major mobile platforms for users to transfer and exchange diverse mobile data over the wireless networks or wireless internet, mobile security for mobile accesses becomes very important and critical to assure secured mobile transactions, mobile data integrity and confidentiality. Mobile security also is critical to protect mobile users and mobile-based application systems from unauthorized accesses and diverse attacks. As an emerging technology, this paper discusses the security concepts, issues, and challenges in mobile accesses, summarizes and analyzes the state-of-the-art of security technologies for mobile accesses. Moreover, the paper discusses and compares the existing mobile security solutions and technologies.

Keywords: mobile applications, security devices, security issues, wireless networks

I. INTRODUCTION

Mobile technologies have evolved beyond recognition since the first radio signals were transmitted by pioneers including Nikola Tesla and Guglielmo Marconi in the late nineteenth century. The advent of mobile phones and similar devices has transformed business and social interactions. Today, many of us use mobile access to the internet to communicate in real time across the globe, to access business and government services online, to shop, view, read, search, explore and even simulate physical activities. Internet access no longer depends on a wired system such as a modem connected to a telephone landline rather, it can be achieved using a mobile enabled device whenever and wherever a mobile access point is available. Wireless communication has become the breath and soul of technologies in today’s fast emerging world. The strong demand of mobile applications and services raised increasing concerns on the security for mobile accesses, user privacy, and mobile applications. This leads an increasing demand on emerging mobile security technologies and solutions for mobile accesses.

Hence, security becomes very important for mobile users and mobile accesses. Although many mobile security solutions and technologies are proposed and developed in the recent years, there is lack of a comprehensive study and review about the existing mobile security issues and solutions.

Mobile applications share most of the security issues of traditional networked applications. These include authentication of devices and users, hiding information from prying eyes using encryption, viruses, and access control. However, the mobile world adds some unique issues to the already complex security arena. Mobile devices are easily misplaced or stolen, so physical security is important. Information that is usually confined behind a corporate firewall is now winging its way through the air, possibly spending some time on hosted servers or wireless gateways. The development of thorough security frameworks is another research direction that requires more investigation, experimentation and experience. Most current security frameworks lack a clear separation between policies and security mechanisms and provide monolithic security solutions where applications cannot choose their suitable trade-off between security, scalability and performance. This paper focuses mobile security concepts, problems, challenges and needs, and solutions.

II. MOBILE AND WIRELESS TECHNOLOGIES

(2)

International Journal of Emerging Technology and Advanced Engineering

525

The information and communications technology (ICT) revolution continues as more users adopt wireless systems, both for personal uses and in business dealings. Today, up to half of all broadband connected households in some countries have wireless access. Major cities are increasingly being serviced by multiple wireless providers and access points, so that wireless devices can be used from almost any urban location

A. Application Security

The rapidly expanding market of mobile devices and their open programming platforms offer corporations significant opportunities to interact with clients and customers. These devices’ rich functionality supports creative innovations that are not possible through a traditional PC application. However, size and computing power limitations have forced companies to redesign their internet presence to provide mobile device users a browsing experience comparable to that of the PC. As developers redesign websites and create mobile applications, they need to consider the potential security risks and mitigate them

B. Web Based Mobile Applications

Redesigning a website to fit the screen size of a mobile device may seem straightforward at first - simply shrink the existing site. But this approach fails to consider a mobile device’s browser requirements, its support of JavaScript and embedded Flash objects, the speed of the mobile network, the computational overhead of encryption, and user input from touch-screen keyboards. Given these restrictions, developers may be inclined to choose functionality over security when trade-offs must be made.

C. Client Based Mobile Applications

Apple, Microsoft, Google and other players support different operating systems and software development kits that developers use to create applications. Each of these platforms has a different security model that affects how developers address security within their applications. And each language has its own pitfalls and exposures that must be considered when developing an application. For instance, the iPhone programming language is based on Objective-C, where legacy modules are still vulnerable to buffer overflows. Google’s guidance to individuals performing development of Android applications includes discussion of expected security do’s and don’ts for both developers and users, but does not point to an official application vetting process.

While Apple has an entire site dedicated to its application review process for publishing on its marketplace, Google does not explicitly state whether or not it reviews applications before they are published on its website.

III.SECRUITY ISSUES

In the world of computers and communications, the more widely a technology is used, the more likely it is to become the target of hackers. Such is the case with mobile technology, particularly smart phones, which have exploded in popularity in recent years. Many users download mobile applications with little regard to whether they’re secure, providing a ready way for hackers to attack the devices.

 Confidentiality: Preventing unauthorized users from gaining access to critical information of any particular user

 Integrity:Ensures unauthorized modification, destruction or creation of information cannot take place

 Availability: Ensuring authorized users getting the access they require

 Legitimate: Ensuring that only authorized users have access to services

 Accountability: Ensuring that the users are held responsible for there security related activities by arranging the user and his/her activities are linked if and when necessary

IV.MOBILE SECRUITY CONCEPTS,THREATS AND

NEEDS

Whenever discussing mobile security, we must understand mobile security threats to mobile phones and mobile accesses. Mobile phones have certain specific features which make these devices more vulnerable to security attacks. Collin Richard Mulliner in [Mulliner 2006] listed the following features.

 Mobility: This is the most important characteristic of the mobile phones. Since mobile users can take them to anywhere, the chances of getting stolen, lost, or physically tempered increases as compared to stationary devices.

 Strong Personalization: As a personal device, mobile devices usually are not shared among multiple users.

(3)

International Journal of Emerging Technology and Advanced Engineering

526

 Technology Convergence: Today numerous functional features are integrated in the mobile phones, for example gaming, video and data sharing, and internet browsing.

 Limited Resources and Reduced Capabilities: Comparing with stationary devices, mobile devices have four major limitations:

 limited battery life

 limited computing power

 very small display screen size

 very small sized keys for inputs

These limits bring the challenges in building mobile security technology.

These features render mobile devices vulnerable to certain types of attacks. Table 1 summarizes these attacks, relating causes, and potential affects.

Features Type of Attack

Mobile Security Affects

Mobility Lost or theft device

Authentication, Confidentiality Limited

resources

DoS (Denial of Service)

Data Integrity, Confidentiality, Availability Strong

Connectivity Requirement

Viruses or worms (malware)

Data Integrity, Confidentiality, and Charging O.S.

Weaknesses, Code Exploitation

Break-In Attacks

[image:3.612.72.265.317.455.2]

Prepare ground for other attacks

Table 1 Categorization of Attacks Causes

The most frequently seen mobile device security threats are:

 Loss and theft

 Malware

 Spam

 Bluetooth and Wi-Fi

A. Loss and theft

Small size and high portability make loss and theft top security concerns when a mobile device is used in the workplace. According to a mobile threat study by Juniper Networks, 1 in 20 mobile devices was stolen or lost in 2010.2When devices are lost or stolen, all of the data stored on or accessible from the mobile device may be compromised if access to the device or the data is not effectively controlled.

While not foolproof, some techniques can help reduce the risk of data compromise, such as using a complex password to access the device or critical data, remotely locating the device on a map using global positioning services (GPS), remotely locking the device to render it useless, or remotely wiping data on the device. Some mobile platforms natively provide these techniques, and in the event they do not, basic platform capabilities can often be augmented by functionality available in third party mobile device management or mobile security solutions.

B. Malware

Mobile device malware viruses, worms, Trojans, spyware has been on the rise over the past few years because most mobile platforms do not yet have native mechanisms to detect malware. Virtually no mobile platform available today is immune to malware. Although more established mobile platforms such as Symbian and Windows Mobile have been a proving ground for malware developers in the past few years, the Google Android platform is leading in new malware development, primarily due to its popularity and open software distribution model. Malware can cause a loss of personal or confidential data, additional service charges (for example, some malware can send premium Short Message Service (SMS) text messages or make phone calls in the background) and, even worse, make the device unusable. Although quickly removed, numerous malicious applications recently found their way onto the Android market place. Some of these were legitimate applications that had been repack-aged with a Trojan designed to gain root access or additional privileges to users’ devices. Unsuspecting users may have had malicious code or additional malware installed in that single download from the applications store. Malware can then spread quickly through a wired or wireless connection to another deviceor a company’s intranet.

C. Spam

(4)

International Journal of Emerging Technology and Advanced Engineering

527

D. Bluetooth and Wi-Fi

Bluetooth is a wireless technology that allows Bluetooth-enabled devices to establish a wireless connection with other Bluetooth-enabled devices that are within a specified range. To maintain security, each time a user attempts a connection via Bluetooth, the device should alert the user and require confirmation that it is connecting to a trusted device using Bluetooth technology. In addition, all data traffic that is transmitted between these connected wireless devices should be encrypted. This prevents hackers from connecting and downloading data without user knowledge, as well as ―sniffing‖ traffic as it is being transmitted.

Bluetooth and Wi-Fi effectively increase the connectivity of mobile devices within a certain range, but they can be easily exploited to infect a mobile device with malware or compromise transmitted data. A mobile device may be lured to accept a Bluetooth connection request from a malicious device. In a ―man-in-the-middle‖ attack, when mobile devices connect, the hacker can intercept and compromise all data sent to or from the connected devices. Setting the device’s Bluetooth to an undiscoverable mode and turning off the device’s automatic Wi-Fi connection capability, especially in public areas, can help reduce risks. To completely block incoming connection requests from unknown devices, a local firewall should be installed and run on the mobile device another traditional security practice that can be extended to the mobile environment. When applied to mobile devices, the framework suggests the following security controls, with actual requirements varying by deployment:

 Identity and access

 Data protection

 Application security

 Fundamental integrity control

 Governance and compliance

E. Identity and access

 Enforce strong passwords to access the device

 Use site authentication or two-factor user authentication to help increase the trustworthiness between a user and a website

 If virtual private network (VPN) access to corporate intranet is allowed, include capability to control what IP addresses can be accessed and when re-authentication is required for accessing critical resources.

F. Data protection

 Encrypt business data stored on the device and during transmission

 Include capability to wipe data locally and remotely

 Set timeout to lock the device when it is not used

 Periodically back up data on the device so data restore is possible after the lost device

has been recovered

 Include capability to locate or lockout the device remotely

V. CHALLENGES IN MOBILE SECRUITY

With the increase in mobile device capabilities and subsequent consumer adoption, these devices have become an integral part of how people accomplish tasks, both at work and in their personal lives. Although improvements in hardware and software have enabled more complex tasks to be performed on mobile devices, this functionality has also increased the attractiveness of the platform as a target for attackers.

Mobile applications share most of the security issues of traditional networked applications. These include authentication of devices and users, hiding information from prying eyes using encryption, viruses, and access control. However, the mobile world adds some unique issues to the already complex security arena. Mobile devices are easily misplaced or stolen, so physical security is important. Information that is usually confined behind a corporate firewall is now winging its way through the air, possibly spending some time on hosted servers or wireless gateways.

Because of the limits of mobile devices, implementing mobile security solutions must address the following needs and challenges in building mobile security.

 Energy saving security solutions - The limited battery life and operation time requires mobile security solutions to be implemented in an energy saving approach

 Limited applications of existing security solutions - The limited computing capability and processing power of mobile devices restrict the applications of many existing complex security solutions, which require heavy processors.

(5)

International Journal of Emerging Technology and Advanced Engineering

528

 Restricted size of screen and keyboard -It restricts the input and output capabilities of mobile phones, which in turn cause some security related applications, for example, password protection may not be easy for mobile users

 Higher portability and inter-operation issues - Since mobile devices may be equipped with different mobile platforms and operation environments, mobile security technologies and solutions must be implemented with a higher portability to address interoperation issues

VI.ISSUES AND SOLUTIONS

At the heart of all mobile activity is the paramount importance of security. As users take on multiple devices (tablets, smartphones, etc.), connect to an increasing menu of wireless peripherals (storage drives, printers, etc.) and flirt with an explosion of exciting new applications, the need to secure every endpoint has forced IT directors to reassess their entire mobile strategy and architecture.

A. Data security

Data security is keeping all the information the enterprise controls safe, including everything stored on cell phones, laptops and other devices in the field. Sound hard? Well, it is - and getting harder. The best approach is defense in depth, which relies on many approaches at many levels. While the details are complex, defense in depth relies on the common-sense assumption that malware or intruders that elude one level will be caught by another.

B. Mobile devices Security

Mobile devices have their own characteristics and unique security issues. Security threats that go hand in hand with mobility include data exposure through the WLAN, exposure of your network through unsecured public-access points, lost or stolen devices, mobile viruses and other malware. Mobile-device management software offers an umbrella solution, but strong user policies and basics, such as data encryption, remain key elements in a successful mobile security plan

C. Mobile Devices

Mobile devices are aimed at workers and consumers not working from a wired outlet. The mobile device category is expanding by leaps and bounds, and includes everything from cell phones, feature phones and smart phones to laptops, mobile Internet devices (MIDs), tablet computers.

Mobile devices are benefiting from the growth of 3G networks and will become even more ubiquitous as 4G grows. There is more diversity in the types of devices and operating systems than in the desktop world.

D. Network security

Network security is a broad term that encompasses the protection, integrity and continuity of network-based assets, which include hardware, software and data, along with related network services. Key elements of network security include strong user policies, network-access controls, and intrusion-prevention systems, which fend off malicious attacks through the Internet or determine access to shared network software. Wireless networks require an even more intricate security matrix.

VII.CONCLUSIONS

Mobile code-based programming models have recently gained wide prominence for their appealing features in terms of flexibility, extensibility and efficiency. In particular, Mobile device have attracted a great research interest and are emerging in mobility-enabled scenarios as an enabling technology for the design, implementation and deployment of both advanced Internet services and middleware solutions. A great number of mechanisms currently exist, further improvements are still necessary trough either the incremental refinements of available protection mechanisms to reduce processing and storage overhead or the combination of complementary mechanisms to form a more effective protection scheme. It is time that users view mobile security holistically keeping in minds the people, processes and technology to mitigate associated risks. A comprehensive solution includes training people to use mobile devices securely, extending desktop and laptop security polices to mobile devices and implementing mobile security technology solutions ranging from developing secure mobile applications to protecting data while on rest or in transit.

 Add mobile security to existing employee security awareness programs

 Perform threat modeling to identify the risks of moving applications to a mobile platform

 Limit the sensitive data transferred to mobile devices, or consider view-only access

(6)

International Journal of Emerging Technology and Advanced Engineering

529

 Establish a program that continually evaluates new and emerging threats in mobile platforms

 Increase monitoring controls around mobile device connection points when feasible

REFERENCE

[1]. R. Oppliger, ―Security issues related to mobile code and agent-based systems‖, Computer Communications, Elsevier Press, Vol. 22, No. 12, 1999

[2]. N. Borselius, ―Mobile agent security‖, Electronics and Communication Engineering Journal, IEE Press, Vol. 14, No. 5, 2002

[3]. T. Sander C. Tschudin, ―Protecting Mobile Agents against malicious hosts‖, Mobile Agents and Security, LNCS 1419, Springer-Verlag, 1998.

[4]. Urbas, Gregor; Krone, Tony, Mobile and Wireless Technologies: Security and Risk Factors, Trends &Issues in Crime and Criminal Justice, No. 329, 2006

[5]. Jose Andre Morales, Peter J. Clarke, Yi Deng, and B. M. Golam Kibria, Testing and evaluating virus detectors for handheld devices, Journal in

Computer Virology, 2(2):135–147, 2006

[6]. Andreas Moser, Christopher Kruegel, and Engin Kirda, Limits of Static Analysis for Malware Detection, In Proc.Twenty-Third Annual Computer Security Applications Conference ACSAC 2007, pages 421–430, 10–14 Dec. 2007

[7]. Wayne Jansen, Tom Karygiannis, Michaela Iorga, Serban Gavrila, and Vlad Korolev, Security Policy Management for Handheld Devices,

The 2003 International Conference on Security and Management (SAM'03), June 2003

[8]. Miller, S. K, ―Facing the Challenge of Wireless Security‖, Computer, 34(7), pp. 16-18, 2001

[9]. Varshney, U. and R. Vetter, ―Emerging Mobile and Wireless Networks‖, Communications of the ACM, 43(6), pp. 73-81, 2000

[10]. Pathan, A.S.K.; Hyung-Woo Lee; Choong Seon Hong, Security in wireless sensor networks: issues and challenges, Advanced

Communication Technology, ICACT 2006, The 8th International Conference, 20-22 Feb. 2006

[11]. Stavrou, E.; Pitsillides, A.; Hadjichristofi, and G.; Hadjicostis, C, Security in future mobile sensor networks issues and challenges, Security and Cryptography (SECRYPT), Proceedings of the 2010 International Conference on 26-28 July 2010

[12]. Tom Karyginnis, Les Owen, ―Wireless Network Security 801.11, Bluetooth and Handheld device‖, Internet Draft, NIST special Publication 800-48, October 2001