Mobile Security 2012

Mobile Security 14-829 – Fall 2012

Patrick Tague Class #2 – Components of a Smartphone* System

*Smartphone can be replaced by “tablet” or a number of other words

– What components are involved in smartphone use?

– What are the risks of this “smartness”?

• Discussion of Mobile App Audit • Discussion of Project components (if time)

Fast processors, Address book, multi-core calendar - “PDA” functions Multiple wireless connectivity “Internet” via WiFi Mobile OS

SMS/MMS Data services over cellular

Computation / processing

Sensing / actuating / control

Entertainment / gaming

...

©2012 Patrick Tague Mobile Operating Systems • In order to deal with the variety of systems, services, and applications, elaborate operating systems became necessary – Aliyun, Android, bada, BlackBerry, Boot2Gecko, Brew, GridOS, iOS, Linux, Maemo, MeeGo, MXI, Palm, QNX, Symbian, Windows (Mobile / Phone / 8), webOS

– Each operating system has different standards, services, styles, behaviors, foci, interactions, etc.

– Each operating system has different vulnerabilities...

• Apps have become a “service mash-up” with no limits in sight

• We like to say “We learn from our mistakes, and we won't make them again”...

• Not surprising... Nobody envisioned the threats we would face in the mobile domain

– Now, a single vulnerability in one app, protocol, or service could allow compromise of the entire device, cascading through any of the multiple connectivity points, spreading through social networks, bypassing standard web and network security barriers... – You get the point. – And, hopefully that's why you're in this class...

– This is where mobile app audits and course projects come into play: you have the freedom to expand on what I cover in whatever way you like

• Each day, we'll have a lecture or survey – After that, we'll have some active discussion about how the day's topic affects security and privacy of selected apps – Each day's discussion will provide insight into how the app could be modified/designed to be “more secure” – Eventually, each student will have a detailed audit

©2012 Patrick Tague What App to Choose? • Make sure the app you choose (or imagine) has a rich set of features that incorporate a variety of mobile services (i.e., a “service mash-up”) – Internet connectivity (xG, WiFi, …)? Location (GPS, AGPS, WiFi, …)? Payment? Bluetooth? ZigBee? Data storage? Cloud services? ????

• Everyone should choose something at least slightly different – the audit should be individual – We'll discuss these almost every day in class, so everyone will benefit from the diversity

Take some time now to brainstorm, discuss, ask questions, think, and plan your audit.

©2012 Patrick Tague Course Projects • Project groups and topics need to be chosen relatively soon (proposal is September 17) • What topic to choose? – It can be something covered in class or not (as long as it's relevant...ask me) – Should relate to state-of-the-art, e.g., no 2G, Bluetooth 1.0, Symbian, etc. – Can be vague for now, details will emerge later • How to form a group? – Talk to people, find common interests, use the discussion forum on BB

Take some time now to talk to others about interests, think about topics, ask questions, come up to the lectern to make a pitch, etc.

No need to limit teams to one campus or the other, distributed teams work great!

– What security features are included in different telecom service classes?

– Vulnerabilities, threats, attacks?

– Telecom security issues on the horizon