13.3 - Mobile Devices

 13.3 - Mobile devices 

 

Key Terms: 

    • Mobile phishing attack – A social engineering attack used on mobile users to leak sensitive information. 
    • The Open Web Application Security Project (OWASP) - The organisation that publishes an annual Top 10 Mobile Risks list. 
    • Open source – Software code that is available to anyone without a fee. 
    • Rooting – Overriding security features on Android devices in order to modify, remove or replace applications. 
    • Jailbreaking – Overriding security features on an iOS device to sideload applications, run apps with administrator permissions and change system files. 
    • Sideloading – Downloading and installing unapproved apps on a mobile device. 
    • Mobile device management (MDM) - A term used to describe policies and procedures used by an organisation to maintain security and permissions on mobile devices. 
    • Bring-Your-Own-Device (BYOD) - A policy that allows employees to use their own devices for work purposes. 

 

Malicious Websites 

A malicious website is a website that contains malicious code and is ran by a hacker. The hacker can determine which devices are connecting to the site and run the appropriate malicious code for that device. 

 

Phishing 

Phishing attacks are generally more effective on mobile users. This is because mobile devices are usually used when doing other things such as watching TV or waiting for someone and so the victim is easily distracted and may not recognise an attack. Also, some mobile users are seen as less technical and may not understand social engineering as well. 

 

Data Loss 

Some apps send your personal data to corporate systems. This data is meant to be used for advertising purposes, but it is a very attractive target for hackers as it contains tons of data al stored in one place. 

 

Lost or Stolen Devices 

Mobile devices (as it states in the name) are mobile and portable. This means that it is very easy for someone to take a mobile device and steal all its data. 

 

Access Control 

This includes passwords, biometrics and two factor authentication. It controls who can access the mobile device and its data. It also controls application privileges, for example it would restrict some applications from full disk access as they don’t need it. 

 

Digital Signing 

Apps that are digitally signed means that they have been verified in their security and that they have not been tampered with. 

 

Encryption 

Encryption allows data to be transferred without the risk of leakage. Encryption can also happen for data stored on the mobile device. There are both software and hardware solutions for encryption. 

 

Isolation 

Application sandboxing is used to run an application without letting other applications access its resources. This means it is isolated from all the other applications which is more secure. 

 

Permission-based Access Control 

Mobile device applications are required to ask for permissions before they can use certain sensitive features like the microphone or camera. 

 

OWASP 2016 

    • M1 Improper Platform Usage – Mobiles device operating systems must provide security capabilities that are well documented and understood. App developers sometimes fail to do this correctly or even fail to provide this at all. 
    • M2 Insecure Data Storage – Applications leak data to corporate servers where they are attacked by hackers and data is stolen. 
    • M3 Insecure Communications – Communications which are not encrypted or secure allow hackers to access the data being communicated more easily. 

 

Vulnerable Conditions 

Mobile devices sometimes have no screen-lock password set or they are very weak. They are designed to easily connect to wireless networks and so they often make unprotected wireless connections. Of course, malware is a constant problem to data security and other sensitive fields. Malware is particularly easy to execute on mobile devices as they usually don’t contain any security software. Also, out-of-date operating systems can contain bugs and vulnerabilities that need to be fixed to stop hackers. 

 

Spyware 

Spyware applications can monitor sensitive information such as call history, text messages, emails, keystrokes, etc... They can also send this information to a command control server which the hacker controls. All of this is done without the user’s knowledge and consent. 

 

Android 

The Android operating system is developed by Google and is an open-source platform based on the Linux kernel. Lots of mobile device manufacturers like to use Android to lower their procurement costs when making mobile devices. Because Android is open source, hackers can also view the source code of the operating system and exploit weaknesses they find. Mobile device manufacturers first download the Android source code from a git repository called the Android Open-Source Project (AOSP). They customise the code and install an image onto the mobile devices. Even though manufacturers have customised Android images, the components that make up Android operating systems are the same. 

 

 

 

iOS 

iOS is a mobile operating system developed by Apple and installed on iPhones. iOS is not open source and can only be run on Apple hardware. For this reason, iOS is considered more secure than Android however, it is less documented. 

 

Mobile Security Model Areas 

Android 

iOS 

Traditional access controls 

 

 

 

Digital Signing 

 

 

 

Encryption 

 

 

 

Isolation 

 

 

 

Permissions-based access controls 

 

 

Comments

Post a Comment

Popular posts from this blog

OSA Summer 2023 Mock - Task 1, Assignment 1

Image
  OSA Summer 2023 Mock – Task 1           Legal requirements   The company must ensure they are compliant with the correct legislation whilst the project is undertaken.   If any person is working at height, the correct safety measures to prevent injury or death must be imposed under The Work at Height Regulations 2005. They must have an appropriate safety harness on and hazardous areas at height should be i dentified in the risk assessment.   By storing data internally on a local file server, the business is responsible for maintaining the confidentiality, availability and integrity of that data. They must comply with The Data Protection Act 2018 and General Data Protection Regulations.   Display screen equipment regulations (DSE) should be considered when installing workstations. Ergonomic and posture-friendly chairs should be installed and employees given appropriate breaks from working around screens.     Data p...
Read more

OSA Assignment 1 - Task 1 GUIDE

  OSA Assignment 1 – Task 1 Guide     Exam parameters   Time length – 3 hours   Marks available – 20     Task 1: Planning   In this task you are required to submit :   A project plan   Gantt chart showing th e critical path   Explanation of legal requirements   Physical and digital threat countermeasures   Annotated floor plan     Gantt Chart   The Gantt Chart is the first document you should create. This details each phase of the project alongside the timescale to complete it.   Ensure you make a note of the deadline for the project along with any pre-requisites such as cabling. This should all be implemented into your Gantt Chart.   You can follow a layout like this:   Project:   Pre considerations (Gathering project timescale, risk assessments, ...)   Planning (Devising project plan, identifying budget, ...)   Design (Research hardware, identify topology, ...)   Pre ...
Read more

Useful Core A Acronyms

  Useful core A acronyms     NGO – Non governmental organisation   KPI – Key performance indicator   USP – Unique selling point   CRM – Customer relationship management   Saas – Software as a service   CAB – Change advisory board   SMARTER – Specific, measurable, accurate , realistic, time-bound, evaluate, re-evaluate   IPO – Intellectual property office   RCD – Registered community designs   UCD – Unregistered community designs   TNA – Training needs analysis   PRR – Post project reviews   COBC – Code of business conduct   BCS – British computing society   ML – Machine learning   CVS – Computer vision syndrome   RSI – Repetitive strain injury   DSE – Display screen equipment   HSE – Health and safety executive   ODD – Optical disk drive   RPM – Revolutions per minute   CPU – Central processing unit   RAM – Random access memory   EMI – Electromagnetic inter...
Read more