Beruflich Dokumente
Kultur Dokumente
Submitted to
Mam RABAIL MUSHTAQ
Group no 3
Komal atta roll # 27
Maryam sheikh roll # 10
Rabia Hameed roll # 22
Ayesha aden roll # 34
Mobile Device Security
DEDICATION
We dedicate this research work to our loving parents,
&
Our DIRECTOR SIR MAQBOOL TAHIR, Our PRINCIPAL PROF MUHAMMAD MATEEN, Our
respected teacher PROF. WAHEED AHMAD , who guide us and courage us in every step of our
research work. And also our college fellows and dear Friends who always have been a source of
courage and inspiration for us.
REGARDS:
Group 3 Page 2
Mobile Device Security
ACKNOWLEDGMENTS
First of all we bow our head before Almighty Allah for his kindness and
highly grateful for helping us that enabled us to complete this report. We pay our deepest
gratitude to all our teachers for their valuable guidance and encouragement throughout the
entire period of this work. This Project is a result of dedicated effort. It gives us immense
pleasure to prepare this project report on “ MOBILE DEVICE SECURITY”
We would also like to express our thanks to our parents for their prayers,
encouragement and moral support during the completion of our report. We are also thankful to
our college fellows and dearest friends who help us a lot during this time period.
Regards.
Group 3 Page 3
Mobile Device Security
Group 3 Page 4
Mobile Device Security
Abstract
This report will investigate about the security issues of mobile devices. The information
about the different mobile companies. What are the issues that these mobile companies or
mobile device faces. Further there is explanation of the rising risks related to the mobile
devices and managing the mobile devices. The brief explanation of issues and concerns of
mobile devices.
Group 3 Page 5
Mobile Device Security
Questionnaire
1. What is mobile device security?
2. How many people have at least one smart mobile device that you use for
business?
3. How many people have Android?
4. What are the goals for allowing mobile devices into
your enterprise?
5. How can you measure how well you achieve these
goals?
6. What data will and will not be allowed on mobile
devices?
7. Which employees and contractors will be allowed to
connect?
8. What devices will be allowed to connect to the
enterprise? Apple? Android?
9. Will devices be required to be up to date/patched?
10.If so, how will this impact Android use?
11.Will jailbroken devices be allowed?
12.How will these requirements be monitored and
enforced?
13.How will you detect or prevent malware?
14.What are the specific security controls that you would
like to enforce?
15.Which devices support those controls?
16.How will you protect the enterprise from liability of
wiping personal data?
17.What controls (technology or policy) can you put in
place around Android devices?
18.Are you willing to support older/weaker versions of
19.Android that have limited security controls?
Group 3 Page 6
Mobile Device Security
Table of content
Introduction to device seciruty………………………………………………………………………………………………………… 5
Top 5 mobile device security concern………………………………….………………………………………………………….. 5
Threats…………………………………………………………………………………………………………………..………………………… 6
Prime Targets for attacker………………………………………………………………………………………………………………… 7
Mobile security landscape………………………………………………………………………………………………………………… 8
The small mobile device environment………………………………………………………………………………………………. 9
Rising risks and Concern with smart devices………………………………………………………………………………….... 14
Managing mobile devices…………………………………………………………………………………………………………………. 27
Other issues and concerns………………………………………………………………………………………………………………… 33
Concluding remarks………………………………………………………………………………………………………………………….. 38
Group 3 Page 7
Mobile Device Security
Securing mobile devices has become increasingly important in recent years as the numbers of the
devices in operation and the uses to which they are put have expanded dramatically. The problem
is compounded within the enterprise as the ongoing trend toward IT consumerization is resulting
in more and more employee-owned devices connecting to the corporate network.
Search Security.com's 2012 enterprise mobile security survey polled 487 IT security
professionals and IT managers. The survey found the following top five mobile security
concerns:
2. Application security was the second-ranking concern. One problem is mobile apps that request
too many privileges, which allows them to access various data sources on the device. According
to Domingo Guerra, president and co-founder of San Francisco-based Appthority Inc., many
mobile apps -- especially free ones -- are built with ties to advertising networks, which makes
contacts, browsing history and geolocation data extremely valuable to application developers. As
Guerra put it, "Developers want to monetize, consumers want free apps and then ad networks
will pay developers to get all of that juicy data from their users." According to survey
respondents, leaked corporate contacts, calendar items and even the location of certain
executives could put the company at a competitive disadvantage.
Another concern is malicious or Trojan-infected applications that are designed to look like they
perform normally, but secretly upload sensitive data to a remote server.
Group 3 Page 8
Mobile Device Security
3. Device data leakage was the third-ranking mobile security issue. Nearly all of the chief
concerns identified in the mobile security survey, from data loss and theft to malicious
applications and mobile malware, are sources of data leakage. While most corporate access
privileges on mobile devices remain limited to calendar items and email, new mobile business
applications can tap into a variety of sources, if the enterprise accepts the risks, said mobile
security expert Lisa Phifer. Increased corporate data on devices increases the draw
of cybercriminals who can target both the device and the back-end systems they tap into with
mobile malware, Phifer said. "If you're going to put sensitive business applications on those
devices, then you would want to start taking that threat seriously."
4. Malware attacks were the fourth-ranking mobile security concern. A new report from Finland-
based antivirus vendor F-Secure Corp. found the vast majority of mobile malware to be SMS
Trojans, designed to charge device owners premium text messages. Experts say Android devices
face the biggest threat, but other platforms can attract financially motivated cybercriminals if
they adopt Near Field Communications and other mobile payment technologies. An F-Secure
analysis of more than 5,000 malicious Android files found that 81% of mobile malware can be
classified as Trojans, followed by monitoring tools (10.1%) and malicious applications (5.1%).
5. Device theft was fifth on the list of top concerns. Smartphone theft is a common problem for
owners of highly coveted smartphones such as the iPhone or high-end Android devices. The
danger of corporate data, such as account credentials and access to email, falling into the hands
of a tech-savvy thief, makes the issue a major threat to the IT security pros who took the survey.
Threats
A smart phone user is exposed to various threats when they use their phone. In just the last two
quarters of 2012, the number of unique mobile threats grew by 261%, according to ABI
Research. These threats can disrupt the operation of the smartphone, and transmit or modify user
data. For these reasons, the applications deployed there must guarantee privacy and integrity of
the information they handle. In addition, since some apps could themselves be malware, their
functionality and activities should be limited (for example, restricting the apps from accessing
location information via GPS, blocking access to the user's address book, preventing the
transmission of data on the network, sending SMS messages that are billed to the user, etc.).
Group 3 Page 9
Mobile Device Security
Data: smartphones are devices for data management, therefore they may contain sensitive
data like credit card numbers, authentication information, private information, activity logs
(calendar, call logs)
Identity: smartphones are highly customizable, so the device or its contents are associated
with a specific person. For example, every mobile device can transmit information related to
the owner of the mobile phone contract, and an attacker may want to steal the identity of the
owner of a smartphone to commit other offenses
Availability: by attacking a smartphone one can limit access to it and deprive the owner of
the service.
The source of these attacks are the same actors found in the non-mobile computing space:
Professionals, whether commercial or military, who focus on the three targets mentioned
above. They steal sensitive data from the general public, as well as undertake industrial
espionage. They will also use the identity of those attacked to achieve other attacks;
Thieves who want to gain income through data or identities they have stolen. The thieves
will attack many people to increase their potential income;
Black hat hackers who specifically attack availability. Their goal is to develop viruses, and
cause damage to the device. In some cases, hackers have an interest in stealing data on
devices.
Grey hat hackers who reveal vulnerabilities. Their goal is to expose vulnerabilities of the
device. Grey hat hackers do not intend on damaging the device or stealing data.
Group 3 Page 10
Mobile Device Security
Group 3 Page 11
Mobile Device Security
worldwide
Group 3 Page 12
Mobile Device Security
• However developing nations also among the fastest growing smart mobile
user base
• Partly because there is very little terrestrial infrastructure for other forms
• Its cheaper and easier to build a cellular infrastructure than a wired one
damaged by an earthquake
Group 3 Page 13
Mobile Device Security
• This is true even in the United States, where there are almost
Apple
in some areas
developing nations);
Group 3 Page 15
Mobile Device Security
2010
keeping an eye on
• What are the driving factors for integrating smart mobile devices into the
enterprise?
devices
Group 3 Page 16
Mobile Device Security
• Quite frankly, I have never seen any numbers to support the cost
productivity
integration
• And as we will see, there are some significant concerns that need to be
Considered.
Group 3 Page 17
Mobile Device Security
• Given this level of concern, and in light of the amount of customer data
• Well, obviously given that there is customer data stored on half of the
concern
Group 3 Page 18
Mobile Device Security
• Encryption of locally stored data is available in iOS since about iOS 4.3,
• Android is a different story, no device encryption until 4.0 aka Ice Cream
• Even more troubling however, is the official stance by both Android and
Apple that ultimately the security of the device rests with the end user
corporate data
• Second to the physical security issue, but rapidly gaining ground, is the
pace
Group 3 Page 19
Mobile Device Security
• adapting to not only the mobile technology, but the mobile usage patterns
approaches
then replaces key daemons to compromise the device at boot time before
Group 3 Page 20
Mobile Device Security
• Mobile malware exhibits all the same types of behavior we’re used
to in other environments
Group 3 Page 21
Mobile Device Security
• India, Russia, and the US roughly equal with a little over 10% of total
infections each
• Several reasons exist for this, one of the most significant is simply
market share
• Malware written for Android has the potential to infect many more
platforms
Group 3 Page 22
Mobile Device Security
the issue we need to take a closer look at the almost 50% of the
devices
requirements
Group 3 Page 23
Mobile Device Security
• Its when we start looking at the relative update history of the devices
that the real story comes out – and its not a pretty one for Android
• The next three slides show the update history of every smart mobile
three versions
• The X’s indicate when the device was being actively sold
• Updates and patches were available for all iOS based phones sold since
day one
Group 3 Page 24
Mobile Device Security
computer connectivity
or less.
release.
Group 3 Page 25
Mobile Device Security
2010.
Sandwich.
Group 3 Page 26
Mobile Device Security
• There are three primary ways that malware infects a mobile device
application from an app store, disassemble it, compile in the malware then
• Angry Birds, one of the most popular applications, had at least one
• Sometimes the malware isn’t included, just some code to download the
that then attack via browser vulnerabilities – just like in the desktop world
Group 3 Page 27
Mobile Device Security
• The single biggest source of malware for mobile devices are the various
app stores
• Neither Apple nor Google do much to vet software for security issues
will do
• In addition to the official Android Market, Android devices can also “side
more malware
• Most users just blindly accept whatever the application asks for
Group 3 Page 28
Mobile Device Security
protections available
• There are some tools to scan email attachments, but this is really focused
infection
• Ironically, it’s the architecture of the device operating systems that keep
each application in its own segregated application space that also prevents
with malware
by the jailbreak
Group 3 Page 29
Mobile Device Security
of the devices
flexible
Group 3 Page 30
Mobile Device Security
• Android MDM APIs much weaker than iOS, though slightly better in 3.0
• One of the most significant problems with the Android API is the
• Additionally, our testing shows that sometimes the device does not
even restore to the configuration and software that came from the
carrier
Group 3 Page 31
Mobile Device Security
devices
Group 3 Page 32
Mobile Device Security
the communication
• Both Google and Apple have a mechanism for store and forward
device
• These allow MDM to send a message to the device, and for that
Group 3 Page 33
Mobile Device Security
• VPN and Proxy - Forces all traffic back to enterprise proxy via
IPSEC VPN
malware detection/protection
Group 3 Page 34
Mobile Device Security
work force, VPN and Proxy might require building out a global
• However, one of the biggest issues with VPN and proxy, there is no
Group 3 Page 35
Mobile Device Security
• There are other, non-technical issues that any enterprise considering smart
• Especially if the enterprise will be providing help desk service for mobile
devices
Group 3 Page 36
Mobile Device Security
• Also, If the enterprise is using, or intends to use, cloud services for email/
as well
• Additionally, the mobile device vendors and the cloud service provides
• Take a look at the Gartner Magic Quadrant for MDM, they are all almost
• When you try to combine two consumer items, the mobile device and the
cloud service, and manage it with an early stage technology, You will not
Group 3 Page 37
Mobile Device Security
• It is imperative to realize, the latest crop of smart mobile devices are not
just phones
like a telephone
IT/technology channels
data protection
Group 3 Page 38
Mobile Device Security
• Integrating smart mobile devices into the enterprise also brings additional
liability risks
• What happens if this is the employee’s only picture of his dead Granny? -
Actual case!
• What happens if the employee then goes to work for another company,
and your HR processes don’t get around to wiping his or her device until
• Now you are wiping some other companies data off their employee’s
device
Group 3 Page 39
Mobile Device Security
• Also, consider the costs/impacts of rising help desk calls with these
devices
expectation that they respond and has that been communicated clearly?
• If so, how does that impact hours worked or billing? Can the bill for that
time? What about the intervening time between the end of the day and
• What if the employee is on vacation? Can he or she now claim that is not
a vacation day?
• Another critical issue to consider for enterprises that utilize cloud services
device users have a password rather than using SAML or OAUTH, the
enterprise has very little visibility into and control over the data
synched anywhere
Group 3 Page 40
Mobile Device Security
• If a device is lost, and there is a possibility for regulated data on it, it may
• In which case your US based data center must comply with the
• Also consider the use of these devices by your executives and board
members
Group 3 Page 41
Mobile Device Security
environment
IT, InfoSec, HR, and Legal at a minimum need to been involved in the
Group 3 Page 42