Volume 5, Issue 3, March 2015 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Special Issue: E-Technologies in Anthropology Conference Held at Bon Secours College for Women, India Cyber Crime and Security Issues in Smartphone Technology N. Elamuhil, K. Durga 2nd Year MCA. Anjalai Ammal - Mahalingam Engineering College, Kovilvenni, Thiruvarur DT., India Abstract: Smart phones are becoming a vehicle to provide an efficient and convenient way to access, find and share information; however, the availability of this information has caused an increase in cyber attacks. Unlike Personal Computers, they are in one location but smart phone by their very nature move from location to location. Traditional security software found in personal computers (PCs), such as firewalls, antivirus, and encryption, is not currently available in smart phones. The number and sophistication of attacks on mobile phones is increasing, and countermeasures are slow to catch up. Currently, cyber threats range from Trojans and viruses to botnets and toolkits. Presently, 96% of smart phones do not have pre-installed security software. This research study aims to explore security risks associated with the use of Android smart phones and the sensitive information. This proposed research work is focused to identify issues regarding smart phone access, control and security as well as to discover a programming model to overcome these issues using java and XML platform for remotely track and control the resources of smart phone and its access. Keywords: XML, VPN, PKI I. INTRODUCTION The Mobile platforms and technologies are changing rapidly as on today. With the addition of new and advanced user platforms such as the world's most popular smart phone platforms are now under the verge of being subdued by the emerging platform namely Google Android. Google Android is one of the most popular mobile Operating Systems for Smart phones on the market. Fifty percent population of United Kingdom owns a smart phones Millions peoples of United Kingdom have internet connectivity on their smart phones and access to data services on the move. These latest mobile platforms such as iPhone, Blackberry and Windows mobiles become one of the top selling smart phones/tablets. But due to high risk threats to the Google android frameworks, security assessment is required. Smartphones are becoming very popular almost like desktop and laptops but due to their special characteristics, these devices provide various security risks which are required to be addressed. Mobile applications have rapidly grown and made the users to store more data on their mobile devices and connect their devices to internet more often. Increase in use of the internet creates more security challenges such as malware threats and viruses similar to desktop environment but since the mobile device operating system is not that much developed it is more difficult to mitigate the risks. There are a number of technologies that can be implemented on mobile devices to provide some level of security such as encryption, VPN, firewall and anti-malware scanners. Clearly malware and viruses are not the only threat to mobile devices. Mobile devices are frequently lost or stolen, they will be misused by employees and management is not willing to establish the required policy to ensure the security of mobile devices is enforced. All of these factors are making mobile devices more vulnerable than other types of platforms such as desktops and laptops. II. RELATED WORKS The threats in the mobile device environment are not only limited to personal users, but it also includes corporate environments. It was just a few years ago that only business executives were using Smartphones. However, currently mobile devices are used everywhere in different types of businesses such as sales, management, service and almost any employee who works outside of the office. Remote connectivity is used for the very same work that portable laptops were handling in the field previously, such as managing the inventory, sales, client records, voice communication and email. The only difference is that while laptops are using the same familiar operating systems as a corporate office workstation, mobile devices are running on unfamiliar operating systems which are still evolving rapidly and whose security is not appropriately improved. The differences in mobile devices and operating systems that are running on them with different service providers create a difficult and challenging situation to develop a security baseline in comparing to Windows/Unix desktop environment where the security has been matured. It has been revealed by a group of security specialists that if unprotected data such as intellectual property (67%), customer data (40%) and employee details (26%) which are being carried out in mobile devices get misplaced, it would have dangerous consequences for the organization. At this time, such a data is being carried on mobile devices by few persons like executive managers but © 2015, IJARCSSE All Rights Reserved Page | 152 Elamuhil et al., International Journal of Advanced Research in Computer Science and Software Engineering 5 (3), March- 2015, pp. 152-157 surely when connectivity and integrity of these devices with corporate networks increases, more data is going to be at risk due to lack of security on mobile devices. Client-side software vulnerabilities are considered as the most dangerous types of software vulnerabilities. Since OS vulnerabilities are mostly covered by security experts, hackers are now concentrating on exploiting the existing vulnerabilities in applications and software such as Adobe Acrobat, Flash and MS Office. As more applications are installed on mobile devices, it is very likely that they will be the target of these kinds of attacks as well [5]. So far, mobile platforms have not been the target of hackers quite much. At first, hackers were motivated out of curiosity but now the motivations have been expanded to financial gain. This has led to the theft of a large number of credit card numbers and banking credentials and creation of botnets all over the world. At the time, hackers have not yet felt the need for exploiting mobile devices but when they do, features such as speed of data transfer and permanent connectivity makes mobile devices the perfect devices to be used for sending spam and launching denial of service attacks or as botnets. The more sensitive data is stored on the phone, the more they attract cyber criminals‟ attention and the more vulnerable they become [6]. In a recent study [7], it has been identified that less than 2% of companies have encountered a “serious incident” from mobile devices. However less than half of the same responders mentioned mobile wireless security is important and has the highest priorities. Mobile threats have been classified into three categories. a) Physical b) Mobile network connectivity c) Malware. III. SECURE BOOT The software installed in a smartphone should not be modified after shipment because doing so could nullify some of the protection measures implemented during manufacture. Even if the phone is protected by anti-virus software against malware and by LSM against illicit accesss, tampering with its software can weaken the security function of these protection technologies. Secure boot uses digital signature technology to detect software tampering, and it prevents the execution of software that has been tampered with. A digital signature-created through a combination of a public-key cryptosystem and hash technology – is used for confirming that data exchanged between the data creator and the data user has not been illicitly modified. In the secure boot process, a digital signature of the software(i.e., a “program image”) is created and written into the smartphone. A function verifies the signature of the program executed on boot-up (i.e., the boot-loader). That is, the boot-loader reads the boot-strap program image and verifies the digital signature, thereby ensuring the integrity of the program. The android os has a linux kernel, and smart phones running android are generally designed in such a manner that multiple boot-loaders are executer sequentially after the power is switched on before the android system is started up(figure 1). The image of the primary boot-loader is stored as a non-rewritable program in read-only memory (ROM). It verifies the image of the secondary boot-loader by verifying the digital signature that has been created and stored in advance. The secondary boot-loader verifies the image of the linux kernel in the same way. Power on Primary boot -loader Primary Boot-loader Start-up Secondary boot loader Linux kernel Memory initialization Application CPU Secondary boot-loader initialization loading and signature Linux kernel loading and verification signature verification Secondary boot loader Linux kernel start-up Start up Android system Android system start-up Figure 1 Sequential execution of multiple boot-loaders 3.1 Procedure for creating digital signature The creator of the digital signature generates a private key and a public key in advance. A hash value, called a “message digest”, is calculated from the target program image by using a hash function. The creator then encrypts the message digest by using the private key. The encrypted message digest is used as the digital signature. Subsequently, the program image and digital signature are written into the internal memory of the smartphone(figure 2). © 2015, IJARCSSE All Rights Reserved Page | 153 Elamuhil et al., International Journal of Advanced Research in Computer Science and Software Engineering 5 (3), March- 2015, pp. 152-157 Program image Hash value calculation Encryption Message digest Figure 2 Private Signature creation process key kety signature Internal memory Public key In addition, the public key must be stored in advance into a memory region that cannot be rewritten. This is because the reliability of the digital signature verification would be compromised if the public key itself were rewritten. An example of the memory arrangement in a smartphone is shown in figure 3. INTERNAL MEMORY ROM FLASH MEMORY Primary boot-loader image Secondary boot-loader image Linux kernel image Android system image User data ROM signature Public key signature Figure 3: Example memory arrangement in Smartphone. 3.2 Procedure for verifying digital signature When the smartphone is switched on, the primary boot-loader(stored in Rom) is executed. It reads the image of the secondary boot-loader(stored in flash memory) and acquires the digital signature and public key. It calculates the hash value of the secondary boot-loader image and compares that value with the message digest in the digital signature (which is decrypted using the public key). If the values match, the image read from the flash memory is judged to not have been rewritten, and control is switched to the secondary boot-loader. If they do not match, the image is judged to have been rewritten, and the start-up process is terminated. The linux kernel is verified in the same manner. 3.3 Operation rules for creating digital signature If the private key is leaked, digital signature data could be created by a person with malicious intent. To reduce the risk of leakage, an operation rule for creating signatures should be strictly enforced. For example, the signature creators should be required to work in a secure location, one that is physically separated from the developers, when they create signatures. IV. PROPOSED SOLUTION When it comes to mobile networks, the current design of network security known as platform centric security would not be suitable anymore because it only focuses on the platform and the applications. Mobile data networks © 2015, IJARCSSE All Rights Reserved Page | 154 Elamuhil et al., International Journal of Advanced Research in Computer Science and Software Engineering 5 (3), March- 2015, pp. 152-157 require access to business data anytime and from everywhere and this would create new sets of threats since it compromises the security of a physically secured network in an organization. Data-centric security has been described in order to protect the data rather than protecting the devices. The concept of Data-centric security is to place several layers of security controls on a system. This approach allows a system to use multiple and different sets of methods in order to defend against any attack. Figure 1 illustrates the Data-centric security where the data should be protected by placing different layers of security. Each level of security protects and restricts access to data in different ways. Data-centric security is mostly used in the defense industry and governmental organizations. These types of organizations use security classification and security clearance to provide access rights and security measures. For example, a file classified as „SECRET‟ is stored in secure encrypted networks which in not connected to the open internet. Any type of information has its own level of importance and in case they get misplaced, they would produce different sets of troubles. To understand the concept of data-centric security, it is better to think about the consequences if confidentiality, integrity or availability of a particular file, service or any other data in the organization are compromised. This way, it is possible to provide security measures to protect any data with any level of importance. Let‟s have a look at an example to understand the Data-centric security more precisely. In a Platform/network centric security model, users might be able to use a VPN with a single-factor authenticated such as a password and access the entire corporate network in order to run applications and modify databases etc. In this example, the layers of security in the data-centric module are defined as follows: a user logs in to the network through a VPN and this allows him to access personal data and sales data which are classified as „Level1- Protected‟. If the user tries to access a „Level 2 – Confidential‟ data, then he would require to use a second factor of authentication such as one time PIN from a physical token to authenticate himself. The second authentication allows the file to be decrypted using a public key (PKI) and marks the file as non-locality savable on the device. In case the user requests to access a document that is marked as „Level 3 – Corporate Secret‟, the system will deny the request once it realizes that the user is using a mobile device. Layers of Data-centric module are shown in figure 2. Figure 2. Data-centric Platform © 2015, IJARCSSE All Rights Reserved Page | 155 Elamuhil et al., International Journal of Advanced Research in Computer Science and Software Engineering 5 (3), March- 2015, pp. 152-157 This example applies meta-data classification of data to all the files and application, but this must be extended to the lowest practical level. In a database that stores customer information, it is possible that all the fields have classification tag; it is even possible to tag fragments of a file as sensitive it would be handled differently from the rest of the file. Like any other security control, a balance is required between the requirements of security practices and usability. At least the users need to come up with a permission group for example „Finance‟ and a group for sensitive data for example „Level 2 – Confidential‟. All these steps can be easier with the implementation of a proper user interface which reduces the user interaction. However in order for the system to be successful some level of user participation is necessary to declare the requirements for protecting a data. It is important that these steps be carried out precisely, however meta-tagging the data will enable the system to identify the security measurements required to protect the data automatically. On the other hand, the software is able to scan the file and define a classification level based on the content of the file. This method may have some problems, but it may be useful in some data environments. Normally, when a data enters a database, it would be classified based on the field in question without any user interaction. An organization may perform a threat-risk assessment and implement a security policy based on that. If the assessment is considered risky, then the data that is generated on the mobile device can be considered. Mobile devices might not have the ability to create documents with long pages of texts, but they have other abilities such as taking photos or recording voice and video. It is also important to consider the data stored in the contacts, call register and calendar of mobile devices critical and prepare appropriate approaches for securing them. When deploying mobile networks, data-centricity is a useful model to be considered. If right configuration and policies are in place, data-centric security can effectively and efficiently handle the data-at-rest issue of important information on the mobile devices that are lost by securely deleting (self-destruct) them after they are inactive for a short time or prevent the downloading of the information in the first place. This matter can be addressed by solutions provided by other technologies but they each have their own challenges as well. An example of these technologies can be the availability of mobile broadband connections that makes cloud computing possible. By employing a thin-client model it is possible in real time to push the screen image of the data to a Smartphone instead of the actual data. In this way, it is possible to simplify the playing field by employing remote desktop or VNC connection to the core network such as a single tunnel to the network, a single application to secure on the handset and the volatility of the data once the connection is terminated. An important matter that needs to be addressed is that during inevitable mobile blind spot how security should be implemented by an organization. Most of the time even when the mobile device is out of wireless service areas, work still requires to be carried out. In such situations, consideration and policies should be conducted carefully to ensure only the data that is required for the work to be carried out is stored on the device locally based on parameters that are confidentially predetermined. To ensure high confidence of data-breach prevention, encryption and deletion measures are required to be employed in case a security incident or device loss happens. However still much research is required to be carried out on these new technologies, it is clear that the focus should be toward securing the data and less focus should be given to trying to build impenetrable perimeter defenses. V. CONCLUSION Due to Smartphones highly connected and powerful portable communication skills, their usage is increasing rapidly and soon they are going to replace portable and desktop computers for many tasks. In order to establish corporate policy for security, businesses should understand the range of vulnerabilities that a Smartphone is open to. By their very nature, they are more prone to information theft, password compromises, hacks and theft in general. Organizations have a lot of time to come up with policies and implement technical procedural measures to ensure security of desktops. But the rapid shift to the mobile model requires threat-risk assessments, incident handling planning and preparation and user and administrator training. Mobile devices generate several new threats due to their highly connected natures and unique portability features which demands appropriate attention. Most of the organizations do not want to spend money and time on securing the treats that have not yet caused any damaged but for sure there are several vulnerabilities on traditional workstations and servers that need to be addressed properly. Mobile-targeted malware can steal the corporate data or cause denial of service and compromise the availability of the resources. It is very important to consider policies for mobile systems and cover mobile devices in the incident response process because one thing is for sure and that is incidents would certainly happen someday and you better be ready for them. Integrating data-centric platform security with anti malware software can be considered as future work to enhance the security of mobile devices even more. In this way, data stored in databases can be classified and changes made to data by mobile device users can be monitored as well to ensure unauthorized modification does not occur. REFERENCES [1] 1 Farhood Norouzizadeh Dezfouli, 2 Ali Dehghantanha, 3 Ramlan Mahmod, 4 Nor Fazlida Binti Mohd Sani, 5 Solahuddin bin Shamsuddin “A Data-centric Model for Smartphone Security”. [2] Yasuhiko abe , Hitoshi ikeda, Masafumi Emura, “Security Technology for Smartphones”. [3] Prof. P.L. Ramteke, Dr. D.N. Choudhary, “Smart Phone Access, Control & Security : A survey”. [4] B. Hancock, “Hacker Target: Mobile Phones,” Journal of Computers & Security, vol 19, issue 6, pp.494-495, 2000. [5] Y. Hao, L. Haiyun, Y. Fan, L. Songwu, Z. Lixia, “Security in mobile ad hoc networks: challenges and solutions,” IEEE Journal of Wireless Communications, vol 11, issue 1, pp.38-47, 2004. © 2015, IJARCSSE All Rights Reserved Page | 156 Elamuhil et al., International Journal of Advanced Research in Computer Science and Software Engineering 5 (3), March- 2015, pp. 152-157 [6] The Top Cyber Security Risks, 2009. Available online at www.sans.org/top-cybersecurityrisks [Accessed April 18, 2011]. [7] A. Dehghantanha, N.I. Udzir, R. Mahmod, “Toward Data Centric Mobile security”, Information Assurance and Security (IAS) Conference, 2011. [8] E. Couture, “Mobile Security: Current threats and emerging protective measures”, SANS Institute, 2010. [9] S. Furnell, “Handheld hazards: The rise of malware on mobile devices,” Journal of Computers & Security, vol 2005, issue 5, pp.4-8, 2005. [10] Charlie Collins, and Matthias Kaeppler,‖Android in Practice ―, Manning Publications; 1st edition, 2009 © 2015, IJARCSSE All Rights Reserved Page | 157
© Copyright 2024