Mobile Device Applications Security: Part 1
I’ve already written several blog series covering mobile computing security and mobile device forensics, and it has been gratifying to discover the number of you out there who have read these postings. Because of the potentially great level of security risk that mobile computing introduces, I feel that starting another mini-series on mobile computing would be valuable to you, so here goes.
The risk that goes with mobile computing does not stop with risks associated with mobile devices’ operating systems and network mechanisms. Part of this risk is also due to applications that run on these devices. The number of mobile device applications is expanding at an ever-increasing rate. The types of functionality that they provide include:
• Controlling or interacting with appliances that are part of an organization’s network
• Monitoring and/or remotely controlling desktop computers and/or Web servers
• Monitoring and troubleshooting remote networks
• Recreational use (e.g., games)
A great impetus to the expanding popularity of mobile device applications has been the fact that most are free, and if they are not free, they may cost something such as only one dollar (although a few cost more). Applications range from accounting programs to books to business and/or finance applications to gardening to photography and to, well, you name it. And the fact that most applications are available via “Apps Stores” makes finding and downloading these applications convenient and easy.
All is not well in the mobile device applications arena, however, especially when it comes to usability. One of the major limitations is the small size of a smartphone or PDA’s screen, making it particularly difficult for users who are accustomed to larger displays to interact with mobile device applications. The tiny size of keyboards on these devises also presents a barrier to the use of these applications. But usability considerations are only part of the overall problem. Information security concerns with mobile device applications also abound. Here are a few of the vulnerabilities that so often exist in these applications:
• Because applications are intended for single-user contexts, there is little or no authentication and authorization in most smartphone and PDA applications
• If passwords are required, default (and thus potentially easy-to-discover) passwords are generally used. No minimum password length restrictions usually exist, either.
• Critical security functions such as data encryption, auditing/logging, security indicators (e.g., padlocks) on Web browsers, and security updates are typically absent in mobile device applications.
• Most mobile device applications that I have examined do not have privilege control capabilities. Instead, they run as the superuser (e.g., root on iPhones). They thus have the ability to access any file on a smartphone, do anything they want to the operating system (because they have full privileges), cause denial of service by draining a smartphone’s or PDA’s battery, and other sordid actions—an attacker’s dream.
• It is almost impossible to determine whether or not smartphone and PDA applications are malicious until they are downloaded.
Mobile device applications are a relatively recent development. Technology always precedes security, and these applications are no exception to this rule. In my next posting I’ll describe additional security concerns that mobile device applications pose.