Safety on the Line Exposing the myth of mobile communication security Prepared by: Supported by: Cormac Callanan Freedom House and Hein Dries-Ziekenheiner Broadcasting Board of Governors This report has been prepared within the framework Contacts of Freedom House/Broadcasting Board of Governors funding. The views expressed in this document do not FOR FURTHER INFORMATION necessarily reflect those of Freedom House nor those of PLEASE CONTACT: the Broadcasting Board of Governors. Mr. Cormac Callanan July 2012 Email: [email protected] Mr. Hein Dries-Ziekenheiner Email: [email protected] 2 Safety on the Line Exposing the myth of mobile communication security Authors CORMAC CALLANAN HEIN DRIES-ZIEKENHEINER IRELAND THE NETHERLANDS Cormac Callanan is director of Aconite Internet Solutions Hein Dries-Ziekenheiner LL.M is the CEO of VIGILO (www.aconite.com), which provides expertise in policy consult, a Netherlands based consultancy specializing development in the area of cybercrime and internet in internet enforcement, cybercrime and IT law. Hein security and safety. holds a Master’s degree in Dutch civil law from Leiden University and has more than 10 years of legal and Holding an MSc in Computer Science, he has over 25 technical experience in forensic IT and law enforcement years working experience on international computer on the internet. networks and 10 years experience in the area of cybercrime. He has provided training at Interpol and Hein was technical advisor to the acclaimed Netherlands Europol and to law enforcement agencies around the anti-spam team at OPTA, the Netherlands Independent world. He has worked on policy development with the Post and Telecommunications Authority, and frequently Council of Europe and the UNODC. advises on both technical and legal issues related to cybercrime. He was responsible for the first fine ever In 2008 he completed a study of best practice to be issued to a spammer under the EU anti-spam guidelines for the cooperation between service legislation while at OPTA and as lead investigator, he providers and law enforcement against cybercrime was involved in many cybercrime related enforcement (www.coe.int/cybercrime). In 2009 he produced the actions and takedowns; including several malware cases 2Centre (Cybercrime Centres of Excellence Network and high profile international spam cases. for Training Research and Education) study profiling international best practices for IT forensics training to Hein served as legal and regulatory counsel and law enforcement (www.2centre.eu). representative of the Netherlands ISP Industry Association (NLIP) and delegate to the board of the Cormac was president and CEO of INHOPE – the European Internet Service Providers Association International Association of internet Hotlines (EuroISPA). (www.inhope.org) – co-ordinating the work of internet hotlines responding to illegal use/content on the He regularly presents and moderates technical training internet. He co-authored the first INHOPE Global sessions at international conferences on cybercrime and Internet Trend report in 2007, a landmark publication security and delivers training at both government and on internet child pornography. He also served president industry events. Hein regularly publishes and speaks on of the board of the European Internet Service Providers issues relating to law enforcement and cybercrime. Association (EuroISPA). 3 Table of Contents Authors 3 Table of Contents 4 Executive Summary 6 Introduction 7 Background 8 Technical Testing 10 Threat Assessment 11 Country Profiles 15 Conclusions 19 Recommendations 19 Introduction 23 Freedom House 24 Broadcasting Board of Governors 24 Structure of This Report 25 Evolution of Mobile Markets 26 Market Actors 27 Blocking and Monitoring 29 Mobile Threats and Risk 31 Conclusion 37 Background 39 Smartphones 40 Hardware and OS layers 40 APIs and Security 41 Operating Systems: Differences in Architecture and Security 41 Mobile Networks 46 Conclusions 57 Technical Testing 58 Introduction 59 Selecting Applications 59 Testing 60 Set Up 60 Testing Criteria 61 Forensic Data Extraction 63 Selected Results 63 Results of Forensic Extraction 67 Conclusion 68 4 Safety on the Line Exposing the myth of mobile communication security Threat Assessment 69 Introduction 70 Modeling the Mobile Environment 71 Types of Applications 71 Target Audience and Target Use Case 73 Phases of Mobile Phone Usage/Threats 74 Mitigating Threats 78 Countermeasures 79 Interim Conclusions 83 Developments 89 Conclusions 90 Country Profiles 91 Country Overview 93 In-Country Mobile Users 97 Republic of Azerbaijan 104 Republic of Belarus 109 People’s Republic of China 113 Arab Republic of Egypt 116 Islamic Republic of Iran 120 Libya 125 Sultanate of Oman 127 Kingdom of Saudi Arabia 132 Syrian Arab Republic 136 Tunisian Republic 141 Republic of Uzbekistan 144 Socialist Republic of Vietnam 148 Findings 154 Conclusions 155 Recommendations 157 Appendix I Methodology 162 Appendix II Broadcasting Board of Governors Broadcasting Principles 167 Glossary of Terms 168 Information Sources 170 Developers 172 5 Chapter 1: Executive Summary 6 Safety on the Line Exposing the myth of mobile communication security Executive Summary INTRODUCTION There are many stakeholders with different areas of This report evaluates the risks and vulnerabilities responsibility in the mobile market. At the state level, of mobile phone services and apps in 12 specified a government’s department for information and countries: the Republic of Azerbaijan, the Republic communications technologies (ICT) is responsible of Belarus, the People’s Republic of China, the Arab for implementing government policy as well Republic of Egypt, the Islamic Republic of Iran, Libya, as setting and developing telecom strategy. A the Sultanate of Oman, the Kingdom of Saudi Arabia, separate telecommunications regulator is usually the Syrian Arab Republic, the Tunisian Republic, the independent of direct political control and regulates Republic of Uzbekistan, and the Socialist Republic of the TV and radio sectors, fixed line telecoms, mobile Vietnam. Rather than focus on a single innovation, this telecoms, and the airwaves over which wireless study analyzes multiple mobile technologies – including devices operate. The telecommunications regulators operating systems, applications and mobile protocols in the countries appearing in this report are not – to determine their capacity to protect security and sufficiently independent from political influence. privacy and to combat censorship and surveillance. Individual companies called telecom operators – or a Throughout this study the protection of mobile phone telecommunications service provider (TSP) – provide users was of paramount importance. telecommunications services, such as telephony and data communications access, to consumers This project was managed by Freedom House and and businesses. Mobile handset manufacturers supported by the Broadcasting Board of Governors. are responsible for the design, development, and manufacture of devices, in compliance with mobile This study is divided into several sections. The standards. These are then, subject to state approval, Introduction outlines this research initiative and sold in different mobile markets around the world. its methodology. It also justifies the need to focus Often manufacturers adapt handsets for different attention on specific mobile phone environments. markets depending on the requirements of the The Background section provides a comprehensive state in which they are sold. Mobile OS developers description of mobile phone technologies with create the interface installed on mobile handsets. particular emphasis on smartphones. Technical Testing Smartphone operating systems combine many of outlines an analysis of the five primary platforms for the attributes of a personal computer operating smartphone usage: Apple iOS, Google Android, Nokia system with touchscreen, radio cell communications, Symbian, Microsoft Windows Phone, and RIM BlackBerry Bluetooth, WiFi, GPS mobile navigation, camera, video OS. A Threat Assessment analyzes security and privacy camera, speech recognition, voice recorder, music challenges facing citizens who own and use a mobile player, near-field communication, personal digital phone, as well as obstacles confronting mobile internet assistant (PDA), and other features. Application (app) users. The assessment confirms that various platforms developers design and craft software applications can be used to overcome some threats particularly for mobile devices. These applications are either pre- when blocking and circumvention technology is installed on handsets during manufacture or can used. The Country Profiles evaluate 12 countries be downloaded by customers from various mobile predetermined by the BBG for investigation. Data points software distribution platforms. in the analysis include the most recent key performance indicators for each national mobile market, various This report analyzes mobile technologies – including mobile operators, the range of handsets in use and the operating systems, applications, and mobile protocols scale of mobile penetration for each country. The report – to determine how they may work to combat is completed with a short section of Findings and a list censorship and surveillance. The report also provides of Recommendations for the future. an overview of the security and privacy challenges posed by mobile technologies. 7 The global adoption of mobile technologies has
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages176 Page
-
File Size-