Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security of Mobile Operating Systems

Published bySheryl Harrison Modified over 6 years ago

Similar presentations

Presentation on theme: "Security of Mobile Operating Systems"— Presentation transcript:

1 Security of Mobile Operating Systems
Muneeb Alvi

2

3 Windows Phone RIP: /2017

4 end of slide show. click to exit…

5 Android and iOS

6 Android 2 Billion Monthly Active Android devices
82 billion (yes billion with a b) app downloads in just 2016 65 billion in 2015 (significant increase) On phones, tablets, TVs, smart watches, cameras, … Most popular smartphone OS sources:

7 iOS 1.2 billion iPhones sold App Store as 2 million apps
130 billion downloads (yes with a b again) 50 billion dollars paid to app developers from successful apps On tablets, phones, tvs (shares similar apps and ecosytems with tvOS) sources: techcrunch, iphones-over-the-past-10-years-infographic/#27f3d1ab42f8

8 Problems Lots of apps, lots of security concerns
Devices are very personal Hold lots of personal data (pictures, contacts, etc…) Can get lost (should still be secure)

9 Solutions Application Provenance
Inspecting apps Updating OS to handle new vulnerabilities

10 iOS Provenance Provenance: determining ownership or assigning some responsibility/origin One way to distribute apps (Apple App Store) Developer must register with Apple (Requires identity of developer) Licensing agreement App must be tested for privacy and security violations (could take days to weeks) If everything passes, app is signed digitally Digital signature Certificate from Apple linked to the developer Embedded directly into the app before being published Responsibility on developer, deters hackers from attacking published apps (must break digital seal)

11 Not Perfect Apple doesn’t reveal automated process for checking app
How good is it? We don’t know Some bad apps do make it 2009. All apps from Storm8 removed. Were trying to collect personal information.

12 Android Provenance Digitally signed apps (like iOS)
However, does not require developers to register with Google and have Google signed certificates Developers can create as many personal certificates without being monitored by Google $25 fee to distribute from Google’s Play Store Can install apps from APKs without using Google’s Play Store Can be downloaded from any website without monitoring from Google Now hackers can attack website to distribute malicious apps Hackers can create fake digital certificate and put fake company name in certificate (M!CRO$OFT) -> (Microsoft)

13 Android Provenance (Cont)
Hackers can modify trustworthy apps, create fake certificate, distribute elsewhere (Trojan horse) Tradeoff More usability for less security More customizable User should know most of the risks. Responsibility shifts from supplier to user.

14 App on the Phone Provenance: First stage. Tries to prevent bad apps from being available Permissions: Second Stage. Prevent bad apps from affecting device if app has been installed

15 iOS Permissions Permissions: What the app can and cannot do/access
Apple decides which limited set of permissions App can have (closed system, walled garden) User not told/asked about app permissions unless it is absolutely necessary or related to privacy Accessing location, camera, making a phone call, etc… App must ask every time if it can access those personal features

16 Android Permissions User is told what permissions the app will have once it is installed Once app has permissions, it does not need to ask user again until deleted Responsibility moved to user once again Developer just has to convince users to download apps Some apps don’t install until users give full permissions Outcome depends on how aware the user is 100 built in permissions CAMERA, INTERNET With the right permissions, a hacker can do wrong things Data Loss Attacks, obtaining user’s phone number

17 Isolation Each app is protected from other apps

18 iOS Isolation Each app protected from one another (Sandboxing)
Sometimes don’t even know other apps are installed on the device No app can escalate privilege level or affect the kernel Malware attacks can be minimal and only affect app data and some other minor data Apps have access to some system information, can gain other valuable information if app is malicious ( , devices unique ID)

19 Android Isolation Similar to iOS (Sandboxing)
Cannot access kernel or other apps A malicious app cannot affect/hack other apps Using some permissions App can get list of other apps App can launch other apps (such as Maps)

20 Encryption Solution for if device is stolen
Process of transforming data into being unusable unless it is transformed back using a key (typically a long number) Encrypt data on device and data being sent/received by device Passwords (what if they are stored insecurely on otherwise encrypted device) Fingerprints (easy to use and you always have it with you, not difficult to create false fingerprint)

21 iOS Encryption Use of hardware and software Hardware
AES (Advanced Encryption Standard) Encrypt all data stored on device flash memory (Device Unique ID: UID) Each device has unique UID AES keys used to encrypt file system metadata, files, etc… If memory chips are moved to another device, they can’t be decrypted without UID GID (Device Group ID key) Same across all processors in device Used for installing new system software (verify iOS updates)

22 iOS Encryption Data Protection
Operating System (Software) provided level protection All files encrypted with unique File Key Protects data across communication with other devices and internet Prevents decrypting important data while device is locked Rapid Remote wipe Wipe a single encryption key, all data is useless

23 Doesn’t always work Background applications can access system storage
iOS always keeps necessary decryption keys for background apps that need them Malicious app can try to gain access to key and then have access to other sensitive information. Passwords: can be guessed by experienced hacker within 20 minutes Using jailbreak tool (requires physical access)

24 Android Encryption File System based encryption
All user data is encrypted in the kernel (requires user to set password) Uses part of password to perform encryption Encryption has to be explicitly asked by the user (depends on settings of OS) KeyChain Used to securely store user passwords/certificates from installed apps Backed by hardware support Depends on user and applications that decide whether it is used Application should not store a password itself (especially if it is not encrypted)

25 Closing points Security should be considered from the moment an app wants to be hosted on an app store, website, server, etc… Both iOS and Android offer many security systems Difference is who decides when these systems should be activated iOS puts most of the responsibility on Apple Android puts most of the responsibility on user Even with all the systems in place, clever hackers can still get through

26 References Android vs iOS Security: A Comparative Study
Authors: Ibtisam Mohamed, Dhiren Patel An Analysis of Vulnerabilities Presented by Android Malware and iOS jailbreaks Author: Charles Jones

Download ppt "Security of Mobile Operating Systems"

Similar presentations

Www.sophos.com/loveyourphone Mobile device security Practical advice on how to keep your mobile device and the data on it safe.

Mobile device security Practical advice on how to keep your mobile device and the data on it safe.
Security for Mobile Devices

Security for Mobile Devices
Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.

Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.
Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.

Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.
Sophos Mobile Control. Tablets on the rise 2 Trends 3 75% of 157 polled companies encourage employee owned smart phones and tablets to access corporate.

Sophos Mobile Control. Tablets on the rise 2 Trends 3 75% of 157 polled companies encourage employee owned smart phones and tablets to access corporate.
Research Development for Android Coopman Tom. What is Android?  Smartphone operating system  Google  Popular  ‘Easy to develop’  Open-Source  Linux.

Research Development for Android Coopman Tom. What is Android?  Smartphone operating system  Google  Popular  ‘Easy to develop’  Open-Source  Linux.
Vivek-Vijayan University of Tennessee at Chattanooga.

Vivek-Vijayan University of Tennessee at Chattanooga.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.
MOBILE MALWARE TOPIC #5 – INFORMATION ASSURANCE AND SECURITY Michael Fine 1.

MOBILE MALWARE TOPIC #5 – INFORMATION ASSURANCE AND SECURITY Michael Fine 1.
Presentation By Deepak Katta

Presentation By Deepak Katta
Introduction Our Topic: Mobile Security Why is mobile security important?

Introduction Our Topic: Mobile Security Why is mobile security important?
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.

MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
 Security and Smartphones By Parker Moore. The Smartphone Takeover  Half of mobile phone subscribers in the United States have a smartphone.  An estimated.

 Security and Smartphones By Parker Moore. The Smartphone Takeover  Half of mobile phone subscribers in the United States have a smartphone.  An estimated.
IT Security for Users By Matthew Moody.

IT Security for Users By Matthew Moody.
Computer and Information Sciences

Computer and Information Sciences
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.

Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
Topic 5: Basic Security.

Topic 5: Basic Security.
Convenience product security Collin Busch. What is a convenience product? A convenience product is a device or application that makes your life easier.

Convenience product security Collin Busch. What is a convenience product? A convenience product is a device or application that makes your life easier.
SMARTPHONE FORENSICS 101 General Overview of Smartphone Investigations.

SMARTPHONE FORENSICS 101 General Overview of Smartphone Investigations.
Wireless and Mobile Security

Wireless and Mobile Security

Similar presentations

Ads by Google