How to Troubleshoot Apps for the Modern Connected Worker
Mobile security in Cyber Security
1. MOBILE - SECURITY
Cyber and Information Security
(Network and Communication Security)
Geo S. Mariyan
(Master in Computer Science)
University of Mumbai.
2. Introduction
• Mobile security is the protection of smartphones, tablets, laptops and other
portable computing devices, and the networks they connect to, from threats and
vulnerabilities associated with wireless computing. Mobile security is also
known as wireless security.
• Mobile security / Mobile phone security has become increasingly important
in mobile computing.
• It is of particular concern as it relates to the security of personal and business
information now stored on smart phones.
• Rapid advances in low-power computing, communications, and storage
technologies continue to broaden the horizons of mobile devices, such as cell
phones and personal digital assistants (PDAs).
3. Security Issue: MobileVirus
• A cell-phone virus is basically the same thing as a computer virus. An
unwanted executable file that "infects" a device and then copies itself to other
devices.
1. A computer virus or worm spreads through e-mail attachments and
Internet downloads.
2. A cell-phone virus or worm spreads via Internet downloads, MMS
attachments and Bluetooth transfers.
• Current phone-to-phone
viruses almost exclusively infect
phones running the Symbian
operating system.
• Standard operating systems and Bluetooth technology will enable cell phone
viruses to spread either through SMS or by sending Bluetooth requests when cell
phones are physically close enough.
4. SPREADING OF VIRUS
Phones that can only make and receive calls are not at risk. Only smart
phones with a Bluetooth connection and
data capabilities can receive a cell-phone virus.
These viruses spread primarily in three ways:
1. Internet download - The user downloads an infected file to the phone
by way of a PC or the phone's own Internet connection.
5. 2. Bluetooth wireless connection - The user receives a virus via
Bluetooth when the phone is in discoverable mode, meaning it can be
seen by other Bluetooth-enabled phones.
3. Multimedia Messaging Service - The virus is an attachment to
an MMS text message
6. CURRENT STATUS OF MOBILE MALWARE
• Mobile malware is malicious software that targets mobile phones or wireless-
enabled Personal digital assistants (PDA), by causing the collapse of the system and loss or
leakage of confidential information.
• As wireless phones and PDA networks have become more and more common and have grown
in complexity, it has become increasingly difficult to ensure their safety and security
against electronic attacks in the form of viruses or other malware.
• Malicious software ("malware") that is designed specifically to target a mobile device system,
such as a tablet or smartphone to damage or disrupt the device.
• Most mobile malware is designed to disable a mobile device, allow a malicious user to
remotely control the device or to steal personal information stored on the device.
7. Virus might access and/or delete all of the contact information and
calendar entries in your phone. It might send an infected MMS message to every
number in your phone book.
The top three areas of concern for mobile users are receiving inappropriate
content, fraudulent increases in phone bills and loss of important information
stored on the handset.
THREATS OF MOBILE PHONE VIRUS
8. Mobile Payment Application
Security.
• Mobile payment applications need a secure mechanism to protect the credit
card information of the users.
• Phishing is the attempt to obtain sensitive information such as usernames,
passwords, and credit card details (and sometimes, indirectly, money), often for
malicious reasons, in an electronic communication.
• Credit and debit card payment and online fraud are highly profitable criminal
activities that are increasingly dominated by card-not-present transactions.
9. Mobile Database Application (MDA)
• A mobile database is a part of a replica of the central database
• The user make modifications of the mobile database at first
• Synchronization occurs between the server and the mobile device to ensure the data
are the same
• In order to complete the synchronization, a publication is needed. A publication is
the meta-data package of information about which data is replicated.
• With the publication, the database server can synchronize with the mobile database
correctly. The publication can only be accessed by the users after they are
authenticated.
10. Information Risks
• The mobile device may be stolen by malicious attacker. Then the attacker may try to
access the data stored in the device.
• The sensitive data transferred through the network may be intercepted by the
malicious attacker.
• The users who have no accounts of mobile applications may try to access the server
without permissions. Or they may try to log in with others’ accounts to obtain the
personal information of them.
• The malicious users of the mobile applications may try to modify the data in the
server even if they are not granted with sufficient permissions or they may try to
access the data which are not allowed them to obtain.
11. Methods to Ensure Security and Privacy
in Mobile Applications
a) Secure Network Connection
b) Encrypted Local Data
c) User Authentication
d) Grant Minimum Sufficient Permissions
e) Separate User Accounts
f) Applications Provided Security Mechanisms
12. Secure Network Connection
• Network Security is the process of taking physical and software preventative measures
to protect underlying networking infrastructure from unauthorized access, misuse,
malfunction, modification, destruction, or improper disclosure, thereby creating
a secure platform for computer
• In order to ensure that the sensitive data transferred through the network will not be
obtained by malicious attacker, we can choose a secure network connection.
• We can make use of https instead of http because all the traffic are encrypted so that the
data can be protected.
13. Encrypted Local Data
• Because the mobile device may be lost or stolen, so it is also necessary to take some
mechanisms to ensure that the data in the device are also safe.
• Therefore, we can encrypt the data in the mobile device.
14. User Authentication
• User authentication is a process that allows a device to verify the identify of someone
who connects to a network resource. There are many technologies currently available
to a network administrator to authenticate users.
• If the mobile application is a mobile database application, then it means that the user
must be authenticated by the database server.
• Only after they are authenticated then they can access the publication to synchronize
the mobile database with the database server.
• And also, user should also be authenticated at the Web Server to protect them from
accessing the Web Server just by the same URL.
15. Grant Sufficient Minimum Permissions
Analysis
• The users should be granted with sufficient minimum permissions to ensure
the security and privacy in mobile applications.
• For example, the user who can only view the data should not be granted with
the write permission because they may try to make modifications as their
wishes.
16. Separate User Accounts
• Sometimes we may provide a user with two accounts in order to ensure the
security and privacy in the mobile applications.
• For example, a user can view all the data but only modify part of them.
Therefore, we can design two accounts.
• The first one is a read-only account and it can view all the data. While the other
one is a read-write account but it can only view and modify part of the data.
17. Application Provided Security
&
Privacy Mechanism
• The mobile application can provide other security and privacy mechanisms.
• For example, the application may encrypt and sign the data before they enter into the
secure communication link.
• Another example is that the user can only access a replica of the main table of the
central database so that even if they successfully attack the replica through the
mobile application, the data in the central database can still be protected.
18. Conclusion
• The best way to protect yourself from cell-phone viruses is the same way you protect yourself
from computer viruses: Never open anything if you don't know what it is.
The following aspects are the basic points to ensure security and privacy in mobile applications:
1. Secure Network Connection
2. Encryption of Sensitive Data
3. User Authentication
Almost all the applications need to pay attention to the above-mentioned points so that they can
protect the sensitive data.
Here are some steps you can take to decrease your chances of installing a virus:
Turn off Bluetooth discoverable mode. Set your phone to "hidden" so other phones can't detect it
and send it the virus.
Check security updates to learn about file names you should keep an eye out for.
Security sites with detailed virus information include: F-Secure, McAfee & Symantec
19. Reference
• Wikipedia
• Network Security: Charlie Kaufman, Radia
Perlman, Mike Speciner, Prentice Hall, 2nd Edition
(2002)
• Mobile Security and Privacy: By Man Ho Au,
Raymond Choo
Editor's Notes
Card-not-present fraud involves the unauthorised use of credit or debit data (the card number, security code and expiry date) to purchase products and services in a non-face-to-face setting, such as via e-commerce websites.