INSTITUTE : UIE

DEPARTMENT : CSE
Bachelor of Engineering (Computer Science & Engineering)
WEB AND MOBILE SECURITY (Professional Elective-I)
(20CST/IT-333)

TOPIC OF PRESENTATION:
Mobile Security Fundamentals.

DISCOVER . LEARN . EMPOWER

 Lecture Objectives

In this lecture, we will discuss:

•Mobile Security Fundamentals-
Introduction to Mobile Security

2
Goals
• What’s different about mobile security?
• Non-homogeneous hardware architecture
• Device capabilities
• Attacker goals
• Software ecosystems

3
Processor Architecture

4
Device Capabilities
• Connectivity
• GPS
• Cellular Network (GSM/CDMA)
• WiFi
• NFC
• Sensors
• Accelerometer
• Gyroscope
• Ambient Light
• Compass
• Barometer
• Fingerprint sensor
• Battery-powered
5
Malware Types
0.50% 0.64%
1.98% 1.62% 0.59%
2.54%
2.72%
3.44%

7.37% Trojan (SMS)

RiskTool
Adware
Trojan
Monitor
Backdoor
Trojan (Financial)
Exploit
HackTool
57.08% Trojan (Downloader)
Others
21.52%

6
Software Ecosystem
• Resource-limited devices
• Compute
• Power
• Event-driven programming
• No main() method
• State transitions via callbacks
• Well-defined interfaces
• Application lifecycle
• Access to user data
• Centralized software distribution
• Can only download applications from a single source
• Vendor takes responsibility for filtering content

8
Overview
• Architectural complexity
• New attack vectors
• Mobile operating systems
• Operating system safety protections
• Software development and distribution model
• Common problems with real-world software
• Cryptographic misuse
• Personal information leakage
• Current research techniques

9
ARM TrustZone

10
Overview
• Architectural complexity
• New attack vectors
• Mobile operating systems
• Operating system safety protections
• Software development and distribution model
• Common problems with real-world software
• Cryptographic misuse
• Personal information leakage
• Current research techniques

11
Introduction: Android
• Originally developed by startup in 2003
• Bought out by Google in 2005
• Publicly released in 2007
• Mostly released under open source license
• Proprietary device-specific drivers distributed in binary form
• Access to Play Store and Google applications requires licensing agreement
• Fire OS, Baidu, Yandex.Store, etc

12
Security Model
• Utilizes a modified version of the Linux kernel
• Changes are slowly being merged back upstream
• UNIX permission model for applications
• Mandatory sandbox as separate users (distinct UID)
• Limited interface for inter-process communication
• Applications are cryptographically signed and verified

13
Architecture: Android

14
Safety Enhancements
• Android 1.5+
• Stack overflow protection (-fstack-protector)
• Safe integer operations (-lsafe_iop)
• Double free protection
• Memory allocation integer overflow protection
• Android 2.3+
• Format-string protections (-Wformat-security)
• Data execution protection (DEP)
• NULL pointer dereference protection (vm.mmap_min_addr)
• Android 4.0+
• Address Space Layout Randomization (ASLR)

15
Safety Enhancements
• Android 4.1+
• Position Independent Executables (PIE)
• Read-only relocations (-Wl,-z,relro –Wl,-z,now)
• Android 5.0+
• Default full disk encryption
• Mandatory PIE
• SELinux
• Android 6.0+
• Verified boot
• USB access control
• Monthly security patches

16
Permission Model
• Capability-based access control model
• Categorized into various functional groups
• Bluetooth
• Camera
• Location (fine/coarse-grained)
• Network/data connection
• SMS/MMS
• Telephony
• User receives permission prompt at install-time
• All-or-nothing

17
Permission Model

18
Permission Model

19
Permission Model
• Starting with Android 6.0 (Marshmallow), permissions are queried at
run-time
• Allows users to deny individual permissions
• Was briefly available for Android 4.4.0 – 4.4.2
• 3rd party solutions
• Xposed Framework (requires root)

20
Application Structure
• Written in Java
• Interpreted by Dalvik bytecode virtual machine
• Uses just-in-time (JIT) techniques to compile native code
• Replaced with Android Runtime (ART) in 5.0+
• Introduces ahead-of-time (AOT) compilation instead of JIT
• Can also call into native code
• Uses Java Native Interface (JNI) to interface with C/C++ libraries

21
Application Structure
• Activity
• Portions of the application’s user interface
• Login window, registration interface, etc.
• Service
• Performs background processing
• Download a file, play music, etc.
• Broadcast Receiver
• Handlers for global messages
• Boot completed, power disconnected, etc.
• Content Provider
• Manages access to structured data
• User calendar, contacts, etc.

22
Architecture: iOS

23
Application Structure
• Written in Objective-C or Swift
• Compiled by Clang/LLVM into native code
• Adds automatic reference counting for garbage collection in Swift
• Transitioning to open source later this year
• Uses Model-View-Controller (MVC) design paradigm
• Applications objects are model, view, or controller
• Abstracts data from logic and presentation

24
Application Approvals
• Applications are typically submitted by developers to App Store for
inclusion
• These undergo a review process for unwanted behavior or policy
violations
• Objectionable content
• Game emulators
• Internal API’s
• Techniques
• Static analysis
• Manual review

25
Enterprise Provisioning
• Enterprise developer certificates allow bypass of the App Store
• Designed for deployment of internal applications to employees
• Historically, have also been used to bypass platform security
• Game emulators
• Jailbreaking
• Malware

26
Cryptographic Misuse
1. Usage of ECB mode for encryption
2. Usage of static IV’s in CBC mode
3. Usage of hardcoded symmetric encryption keys
4. Usage of low iterations for password-based encryption
5. Bad seeding of random-number generators

27
Cryptographic Misuse
• CryptoLint, Manuel Egele et al. (CCS 2013)
1. Extract a control flow graph of an application
2. Identify calls to sensitive cryptographic API’s
3. Perform static backward slicing to evaluate security rules
• Allows for automatic detection of cryptographic misuse

28
 References:
Books:
1. Hacking Exposed Mobile: Security Secrets & Solutions 1st Edition, Kindle
Edition, by Neil Bergman, Mike Stanfield, Jason Rouse, and Joel Scambray
2. Hacking Exposed Web Applications, 3rd edition, Joel Scambray, Vincent
Liu, Caleb Sima, Released October 2010, Publisher(s): McGraw-Hill

Video Lectures :
3. https://slideplayer.com/slide/6402052/
4. https://slideplayer.com/slide/6539985/

Reference Links:
5. https://www.slideshare.net/dilipdubey5/mobile-security-55068970.
6. https://slideplayer.com/slide/13906346/
THANK YOU