移动手机安全研究

Mobile phone security

Contents

Executive Summary. 2

Introduction. 3

Context Establishment. 5

Risk Assessment. 8

Privacy Analysis. 11

References. 13

 

 

Executive Summary

Mobile phone security entails having a safety plan on a device that locks any unauthorized access to data. Modern-day mobile phones have a mobile security plan that protects its users against data breaches and unauthorized access to critical data. The information and applications found in the phone are for personal use, and therefore they should be protected against privacy infringement by unauthorized persons. Some of the information found in the mobile phone is so sensitive in the sense that it is concealed from people who should not have access to it. The user could accidentally leave an opening while altering the source code, making their devices vulnerable to cybercriminals. Apart from cybercrime, the user's carelessness can expose the mobile phone to evil people. Some people can be determined to access data on the mobile phone for data theft to use it elsewhere. This is an instance of intellectual property infringement contrary to the tenets of the World Intellectual Property Organization. It is also a violation of the renowned universal right to privacy. Furthermore, some people can be determined to access data on the mobile phone for data theft to use it elsewhere. This is an instance of intellectual property infringement contrary to the tenets of the World Intellectual Property Organization and against the right to privacy, which is a fundamental human right. It is for this reason that mobile phones have required a mobile security plan. Mobile phone security is fundamental in keeping away unauthorized people through a password, pattern, or personal identification number (PIN).

 

 

 

Introduction

Mobile phone security entails having a safety plan on a device that locks any unauthorized access to data. Modern-day mobile phones have a mobile security plan that protects its users against data breaches and unauthorized access to critical data. Mobile security further protects the users of the gadget from having their sensitive information hacked or tracked (Androulikadis,2016). In the contemporary world, mobile phone users and business people use mobile phones to store vital business statistics about their business and private life information.

It is indeed essential that mobile gadgets be installed with a security plan to conceal the user's crucial information. The reason for this is to protect the privacy and the intellectual property of the user. As much as technology has made life much more comfortable as they were, some unscrupulous people tend to use it to access other people's mobile gadgets, leading to a breach of mobile phone security.

Indeed, technology has made the world look like a small village. Mobile phones have made it easier because some people use these gadgets to store very vital information relating to their day to day lives. Mobile phones, just like other technological gadgets, have some software vulnerabilities that can be used by deceitful people to have access to the phone (Androuliladis,2016). Furthermore, not all mobile phone users are literate and can notice the foul play on their devices. A software security plan protects the average use of any form of mobile security infringement.

This report aims to define mobile security plans, identifying privacy aspects related to mobile phone gadgets and their applications. The notice shall also outline the risks associated with mobile phone application security. Therefore, this article shall cover the security threats that face mobile phone users and what they can do to protect their information from being accessed by unapproved persons.

Some of the issues discussed in this report include a contextual establishment where a brief description of information assets shall be done. The story will further look at an overview of device usage, specifically, the sensitivity and the importance of the information assets. The rationale for mobile phone security is that many people have made it a fundamental part of their lives. Phones are used in doing various tasks, including buying and selling products online, paying bills, and even in schools for learning purposes. These activities can be jeopardized by hackers hence the necessity of having a mobile data security plan.

The report shall also carry out a risk assessment concerning mobile phone data security plan. It shall expound on the assets that are likely to be at risk and the various susceptibilities that could exploit them. The report shall also look to identify mobile security issues related to the operating system of a mobile phone gadget. In doing so, we shall identify the weaknesses of the mobile phone's operating system regarding matters security.

The report shall be based on one mobile phone application having the best features to avoid security infringement.

 

 

Context Establishment.

The phone in question here is of an android type, version 8.1.0. The device's name is Itel P33 Plus model itel W6001. The gadget has a 1 Gigabyte(1GB) RAM (Random Access Memory). The phone also contains 16 GB of internal storage space, which is expandable to 32 GB when one intends to use a MicroSD card. Itel P33 Plus is also equipped with an 8MP(Megapixels) plus a 0.8MP dual rear camera. It is also fitted with a 5MP front camera meant for taking ‘selfie’ pictures. Additionally, it has a good and reliable non-removable battery with a long-lasting life (4000 Milliampere-hour). One of the most loved specifications about this phone is its touts a 6-inch screen LCD screen with a High Definition resolution of 1440 by 720 pixels.

Itel P33 Plus has some exciting features and applications, some of which were preloaded before purchasing the phone. The applications include a phone call log, camera, gallery, messages application, file manager, settings, sound recorder, sim toolkit, user guide, and the google applications i.e., google chrome, google drive, google meet, Gmail, YouTube, and google maps. Some of the applications that have been installed after purchase are, for instance, Facebook, Twitter, boom play,Instagram, play store, and telegram.

 Itel p33 plus also has an operating system that allows it to run these applications and programs swiftly. The operating system in a phone acts as the master control of the phone. In this particular case, the operating system is android, which is the leading mobile operating system globally (Ruohonen, Hyrynsalmi, and Leppanen, 2015). The operating system of a phone does several tasks, including detecting any errors in running the phone, executing programs, and allocating resources in the device. Moreover, the operating system, mostly abbreviated as OS, handles mobile phone operations, manipulates the file system, and makes it possible for the user to multi-task applications on the gadget.

Lastly, the phone is fitted with what is known as the kernel. This software is the central component of a mobile phone's operating system, which manages communication between the phone's software and the hardware. The kernel version of this phone is 4.4.83(GCC version 4.8[GCC]).

The phone contains data of all kinds. The data ranges from messages, photos, videos, mobile contacts, secret images, music, mobile phone games, and educational materials. Having a storage of 16 GB, the phone can store all forms to that capacity. Out of the 16GB, the phone's data has occupied an approximate 14.04GB, leaving a free space of 1.96 of the total space. In a brief breakdown, photos and audio have entertained 2.1GB, music and audio 1.5 GB, games 0.2 GB, files 1.6 GB, and the system populates the rest of the space. Itel p33 plus have the option of freeing up the stored data to create space for other information and applications.

This information and applications found in the phone are for personal use, and therefore they should be protected against privacy infringement by unauthorized persons. Some of the information found in the mobile phone is so sensitive in the sense that it is concealed from people who should not have access to it (Lee and Chen, 2006). Furthermore, some people can be determined to access data on the mobile phone for data theft to use it elsewhere. This is an instance of intellectual property infringement contrary to the tenets of the World Intellectual Property Organization. It is also a violation of the renowned universal right to privacy.

It is for this reason that mobile phones have required a mobile security plan. Mobile phone security is fundamental in keeping away unauthorized people through a password, pattern, or personal identification number (PIN).

I use my phone mainly for communication purposes. Communication by short text messages (SMSs), phone calls, and mail messages. Some of the messages I communicate to people are confidential and need protection from anyone who wants to access my phone unlicensed. I also use the phone to make calls to friends and relatives to discuss any matter, whether essential or casual. Furthermore, I chat with strangers who became friends online on platforms such as Facebook, WhatsApp, Instagram, and Twitter.

Mobile phones act as information assets. An information asset is described as an organized documentation integrated into a communication arrangement that makes it possible for an organization to reach its goals (Breitinger, 2010). It is my responsibility to safeguard sensitive information in the asset from right away from their creation until they are utilized and destroyed accordingly. Sensitive items are prone to be attacked or destroyed pre-maturely by people with ill-intentions. Therefore, sensitive information should be wiped out after the licensed user has used it.

My phone has approximately 26 applications. Out of these, there are some that I frequently use, whereas there are others that I rarely open. To start with, the applications I rarely use include a camera (I do not fancy taking pictures), telegram, calculator, calendar, google maps, google meet, and Instagram. Information associated with these kinds of applications is essential but does not need to be secured. I seldom use these applications because they are of little use to my day to day activities.

On the other hand, I often use phone calls, application messages, galleries, music players, WhatsApp, Twitter, Facebook, Gmail, Google search, YouTube, and chrome. These applications have sensitive information that should be protected from being accessed by unauthorized persons. Information stored in these applications is crucial, but they are secure courtesy of my phone's mobile phone security plan.

 

 

Risk Assessment.

WhatsApp is a Facebook-owned messaging application. It is widely used in the world, with over 20 billion users globally. The application has an end to end encryption to keep off third parties from accessing information shared between two parties. Even though WhatsApp is encrypted, it is not perfect and impeccable while using it. The Forbes journal reports that various vulnerabilities that can be used by hackers and attackers have been identified.

Recently, technologists have discovered a bug that allows a criminal to use a malevolent GIF image to open weaknesses in WhatsApp and consequently access its information. The infringement occurs when an attacker sends a malicious GIF file to his/her target through any renowned channel (Islam, Das, and Chen, 2017). Once the malicious GIF image is on the victim’s gadget, and the victim opens up the gallery within WhatsApp to send an embodiment, the information and the contents on the users WhatsApp becomes vulnerable.

This particular WhatsApp attack relies on the ‘double-free bug’ technology, which happens when the mobile phone's memory address is called twice. This makes memory allocation have a sudden spin that makes the app crash or invites susceptibility. The WhatsApp spokesperson alleged that the issue affected only the user on the sender side and that it would affect the sender's(attacker) gadget. The technologist, Awakened, stated that action from the victim's device was required. He Affirmed that opening the gallery within WhatsApp shall attract vulnerability courtesy of the attacker's planted image on the victim's machine. WhatsApp came public and asserted that the bug was identified and addressed.

Android phones have been prone to be hacked by deceitful people. One of the reasons for this is because many phones are powered by android compared to other operating systems. This makes it a comfortable and attractive target for cybercriminals to send malware and viruses that could make android powered mobile phones vulnerable to attack.

Unlike the Apple phones whose operating system is a closed one, Android phones are the opposite. The android operating system depends on the open-source code, which means that the users of the android gadgets can interfere with the device's operating system (Breitinger, 2010). By fiddling with the operating system, android phones users can create a weakness in their gadget's security. Additionally, the manufacturers of android phones tend to put out another new device with some alterations on the operating system, which could create a vulnerability.

Furthermore, some actions by the user invite vulnerability on the device's operating system. For instance, android users should stick to downloading applications from the play store. This is because downloading a scoundrel application from a third-party source can be the most accessible means of infecting an android operating system with a virus (Shih,2008). Play store consists of well-secured malware applications, and therefore downloading an application from any other location jeopardizes the operating system's security.

Due to the popularity of the android operating system globally, developers have been creating applications designed to run on the network. As much as this is an advantage on the part of these phones' users, it is a threat to the operating systems of their gadgets (Islam et al., 2017). This is because hackers tend to create harmful applications calculated to infect mobile phones with destructive viruses.

As aforementioned, the open-source code system of the android operating system allows users to change the way their mobile phones operate (Ruohonen, et al., 2015) The user could accidentally leave an opening while altering the source code, making their devices vulnerable to cybercriminals.

The device owner’s behavior can create a mobile security risk. Apart from cybercrime, the user's carelessness can expose the mobile phone to evil people. Human beings tend to be too trusting, which is an issue when it comes to mobile security (Breitinger, 2010). So many complimentary messages and messages of calls for help are sent to different mobile phones. It is upon the device's user to discern between the genuine messages and traps from online hackers. Being too trusting to everyone can lead to a person revealing their phone passwords and data, which could be used by unauthorized persons to access data on the phone.

Besides, forgetful people can leave their phones behind (restaurants, buses, taxis, hotel rooms) and therefore losing the gadget. The dangers of losing the device can be losing the entire data, never to be found again (Androulidakis, 2016). Another threat is that the mobile phones left behind can be accessed by other people hence keeping the information and other sensitive data in the mobile phone at risk.

Also, some human beings are too lazy to create strong passwords that should protect their mobile phones. Safe computing necessitates that users identify strong and long passwords that are private to them and compatible with the gadget's operating system. Short passwords can be easily guessed by cybercriminals, hence endangering the security of the mobile phone's data.

Mobile phones are not viewed as professional gadgets, and therefore they do not receive the professional security they desperately need. People usually mix professional information with their data, hence inviting a casual attitude towards their data's safety. They then get casual about their phones' passwords, thus risking the security of the data stored in mobile phones.

Physical threat to mobile phone security usually happens when someone misplaces their mobile phones or lose them to thieves. The phones fall in the hands of hackers who typically know how to access information stored in the mobile phones after hacking the phones’ passwords.

By having phones in their hands, hackers can easily trace the applications linked to corporate data and insensitive and confidential data. Modern mobile phones usually save the device's password, making it easy for hackers to log into applications with ease. This, therefore, calls for mobile phone users to be more careful with their phones to keep them safe from hackers.

Moreover, the passwords and screen locks should be kept a secret to the users. When a device owner shares his/her password with other people, he/she risks having the data leaked when a person knowing the phones gets access to it (Islam et al., 2016). To have too much trust in people can lead to having the password being shared with different parties hence jeopardizing the security of the information stored in the mobile device.

Very many mobile phones with different kinds of operating systems have made it to the market. As a consequence, the risks associated with mobile security has increased significantly over the years. Many people expect their android or iPhone phones to be automatically secure (Doherty, 2016). In reality, the users of these mobile phones are endowed with the responsibility of making security configuration changes on their phones to make them safe or vulnerable.

My itel p33 plus android mobile phone has been secured from all forms of mobile phone insecurity. The applications that were not preloaded into the phone on purchasing have all been downloaded from the play store. This avoids downloading harmful applications from unknown sources, which could endanger the mobile phone's operating system.

Privacy Analysis

The application in question here is WhatsApp. It is a Facebook-owned messaging application. The application's privacy policy is to have an end to end encryption on messages, meaning third parties cannot have access to data shared between two individuals. The privacy policy is available at the WhatsApp website (www.WhatsApp.com).

 WhatsApp collects private information from the sender to the user of the application. It also contains non-personal and corporate information.

 The information is collected directly from the receiver and the sender of the data. The information is stored in the app and in the mobile phone’s storage application where the user can access the data whenever he wants.

The collected information is so much relevant to the user, more so if it is corporate information. The information collected can be stored and used for future reference.

 Third parties can also share information in WhatsApp by forwarding to them in the same forum or transferring it to other applications such as Gmail. There is no limitation as to which application WhatsApp can share a document with.

 In this application, the user has unlimited access to the information held by the application. There is no outlined process by which a user can access his own information because it is straight forward.

 

 

Risk Treatment and Countermeasures

 

Overview of security issue from Previous Part :

The above part describes the bugs in the Android version of WhatsApp that may allow users to accept hacker attacks. The vulnerability affects the WhatsApp-specific GIF function, which is still quite popular among users. According to security researchers, hackers use GIF files to push malicious code via messages, emails, or even third-party applications to the victim's mobile phone. Therefore, when the user downloads the GIF file and then opens it again in the gallery on WhatsApp, the code will run a "remote code execution" attack on the Android phone, allowing hackers to access and control the user's data. This compromises the confidentiality of the security target: without the user’s consent, the private data corresponding to the WhatsApp user’s account is stolen without authorization. The information collected by these private data is closely related to the user, and what’s more serious is that the attacker may leak it to An unauthorized third party is more valuable if it is company information.

Treating the risk:

The control measure of this solution is to remind users to download the application from a regular official store, and to update the application regularly to obtain the improvement measures and security support of the user program developer.

At the same time, users need to manage their keys properly, if not with others Password sharing and regular cleaning of the password data stored locally. The password verification of user apps like WhatsApp mainly uses online authentication methods. Developers can specify the minimum length of user passwords, the case of letters, the complexity requirements of numbers and special characters, and can also specify the speed limit of application and network cracking (that is, the limit of the number of times the password can be entered per unit time). Slow down the attacker's use of a password dictionary for brute force attacks, because it will take time to deal with all wrong guesses.

The third method can be combined with biometric authentication. For example, when using an application, it is necessary to verify biometrics such as a PIN password and a human face. The use of strong authentication is beneficial to the security performance of the application.

Type of control measure:

Downloading APPs from official channels and regulations on password settings are preventive control measures. The former is to avoid threats such as viruses and Trojan horses from direct contact with attackers, and the latter is designed to make the process thoroughly try all options and ignore the wrong values for too long. So that the attacker is not worth spending resources to do this. This is the second of the three measures Lemos recommends to improve API security.

The third method uses strong authentication methods such as biometric authentication, which can increase the difficulty of attackers. This is the first of the three measures Lemos recommends to improve API security.

Degree of protection provided:

Obtaining the latest updated apps can help avoid previous security threats and attacks, but it cannot be done once and for all because hackers will exploit and attack new apps.

Password complexity settings and password authentication rate-limiting will slow down the data collection process for a single user, but cannot prevent it. The attack method of making repeated queries is still effective (so it cannot prevent the attack from happening), but it will take longer for the attacker to try all possible values. This should reduce the possibility of exploiting this vulnerability. If the attacker thinks that he can tolerate the cost of such a long attack time, such as when obtaining very valuable intelligence, the attack time is also worth spending. In this case, it has no effect on the result.

The means of strong authentication helps to strengthen the protection level of the application, but there will also be corresponding threat attacks. For example, the black box attack on face recognition by Yinpeng Dong et al. proved that face recognition is not the optimal solution for security protection.

Limitations of this control measure:

Users can only get the latest apps to avoid attacks, but the decision to set detailed password verification requirements and use strong authentication depends on the official WhatsApp, which is not under user control. Setting the password complexity and the number of login queries is actually very unfriendly to users because if the use of special characters is specified, it will increase the difficulty for users to remember passwords, and may also lose a group of potential users who pursue simplicity. The use of strong authentication will also increase the cost of application development, because the previous passwords are more text data stored in the database, and storing pictures such as faces consumes a lot of storage resources. After all, the final cost used in the APP will eventually be forced to be shared equally on users, for example, users need to see more commercial advertisements, etc.

References

Androulidakis, I. I. (2016). Mobile phone security and forensics. Springer.

Androulidakis, I. I. (2016). Software and Hardware Mobile Phone Tricks. In Mobile Phone Security and Forensics (pp. 47-69). Springer, Cham.

Breitinger, F., & Nickel, C. (2010). User survey on phone security and usage. BIOSIG 2010: Biometrics and Electronic Signatures. Proceedings of the Special Interest Group on Biometrics and Electronic Signatures.

Doherty, J. (2015). Wireless and mobile device security. Jones & Bartlett Publishers.

Lee, C. H., & Chen, S. Y. (2006). U.S. Patent Application No. 11/164,602.

Islam, N., Das, S., & Chen, Y. (2017). On-device mobile phone security exploits machine learning. IEEE Pervasive Computing16(2), 92-96.

Shih, D. H., Lin, B., Chiang, H. S., & Shih, M. H. (2008). Security aspects of mobile phone virus: a critical survey. Industrial Management & Data Systems.

Ruohonen, J., Hyrynsalmi, S., & Leppänen, V. (2015). The sigmoidal growth of operating system security vulnerabilities: an. Bioprocess Engineering23(6), 607-612.

Lemos, R. (2015, Aug 18) 3 steps to better security in the API economy. Retrieved from http://techbeacon.com/3-steps-better-security-api-economy Date accessed: 29 September, 2015.

Yinpeng Dong,Hang Su,Baoyuan Wu,Zhifeng Li. Efficient Decision-Based Black-Box Adversarial Attacks on Face Recognition. CVPR 2019,7714-7722

 

 

 

.

 

 

 

 

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值