Mobile security catching up? Revealing the nuts and bolts of the security of mobile devices

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2011, Pages 96-111

  Becher, Michael ^a   Freiling, Felix C ^a   Hoffmann, Johannes ^b   Holz, Thorsten ^b   Uellenbeck, Sebastian ^b   Wolf, Christopher ^b  

^a UNIVERSITY OF MANNHEIM   (Germany)

^b RUHR UNIVERSITY BOCHUM   (Germany)

Author keywords

Mobile security; Smartphones; Survey

Indexed keywords

MOBILE TELECOMMUNICATION SYSTEMS; NETWORK SECURITY; SURVEYS; TELEPHONE SETS;

ATTACK VECTOR; BACKEND SYSTEM; CATCHING-UP; IMMANENTS; NETWORKS SECURITY; RESEARCH OPPORTUNITIES; SECURITY ATTACKS; SMART PHONES;

MOBILE SECURITY;

EID: 80051969895     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2011.29     Document Type: Conference Paper

References (101)

1. N. Leavitt, "Malicious Code Moves to Mobile Devices," IEEE Computer, vol. 33, no. 12, 2000.
2. S. N. Foley and R. Dumigan, "Are Handheld Viruses a Significant Threat?" Commun. ACM, vol. 44, no. 1, 2001.
3. D. Dagon et al., "Mobile Phones as Computing Devices: The Viruses are Coming!" IEEE Pervasive Computing, vol. 3, no. 4, 2004.
4. N. Leavitt, "Mobile Phones: The Next Frontier for Hackers?" IEEE Computer, vol. 38, no. 4, 2005.
5. M. Hypponen, "State of Cell Phone Malware in 2007," 2007, http://www.usenix.org/events/sec07/tech/hypponen.pdf.
6. J. Kleinberg, "The Wireless Epidemic," Nature, vol. 449, no. 20, Sep. 2007.
7. G. Lawton, "Is It Finally Time to Worry about Mobile Malware?" IEEE Computer, vol. 41, no. 5, 2008.
8. J. Oberheide and F. Jahanian, "When Mobile is Harder Than Fixed (and Vice Versa): Demystifying Security Challenges in Mobile Environments," in Workshop on Mobile Computing Systems and Applications (HotMobile), February 2010.
9. M. Kotadia, "Major Smartphone Worm 'by 2007'," Jun. 2005.
10. V. Bontchev, "Virusability of Modern Mobile Environments," in Virus Bulletin Conference, Sep. 2007.
11. Gartner Research, "Gartner Says Worldwide Mobile Phone Sales Grew 35 Percent in Third Quarter 2010; Smartphone Sales Increased 96 Percent," 2010, http://www.gartner.com/it/page.jsp?id=1466313.
12. A. Portnoy, "Pwn2Own 2010," 2010, http://dvlabs.tippingpoint. com/blog/2010/02/15/pwn2own-2010.
13. M. Keith, "Android 2.0-2.1 Reverse Shell Exploit," 2010, http://www.exploit-db.com/exploits/15423/.
14. R.-P. Weinmann, "All Your Baseband Are Belong To Us," hack.lu, 2010, http://2010.hack.lu/archive/2010/Weinmann-All-Your-Baseband-Are-Belong-To- Us-slides.pdf.
15. A. Greenberg, "Google pulls app that revealed Android flaw, issues fix," 2010, http://news.cnet.com/8301-270803-20022545-245.html.
16. P. Zheng and L. M. Ni, "The Rise of the Smart Phone," IEEE Distributed Systems Online, vol. 7, no. 3, 2006.
17. S. C. Guthery and M. J. Cronin, Developing MMS Applications - Multimedia Messaging Services for Wireless Networks. McGraw-Hill Professional, Jun. 2003.
18. D. Barroso, "ZeuS Mitmo: Man-in-the-mobile," September 2010, http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.html.
19. OMTP Limited, "Advanced Device Management," Jan. 2008.
20. -, "Mobile Application Security - Requirements for Mobile Applications Signing Schemes - Version 1.23," Dec. 2006.
21. M. Becher, "Security of smartphones at the dawn of their ubiquitousness," Ph.D. dissertation, University of Mannheim, Oct. 2009.
22. Bladox, s.r.o., "Turbo SIM," http://www.bladox.com/.
23. J. Berka, "Turbo SIM add-on allows full iPhone unlocking," Aug. 2007, http://arstechnica.com/apple/news/2007/08/turbo-sim-add-on-allows-full- iphone-unlocking.ars.
24. OsmocomBB project, "SIMtrace," http://bb.osmocom.org/trac/wiki/ SIMtrace.
25. OMTP Limited, "Advanced Trusted Environment - OMTP TR1," May 2008.
26. University of Glamorgan, "Disk Study 2008-2009," May 2009, http://isrg.weblog.glam.ac.uk/2009/5/7/disk-study-2008-2009.
27. F. C. Freiling et al., "Reconstructing people's lives: A case study in teaching forensic computing," in Conference on IT-Incidents Management & IT-Forensics - IMF, 2008.
28. E. Barkan et al., "Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication," J. Cryptology, vol. 21, no. 3, 2008.
29. J. Frick and R. Bott, "Method for identifying a mobile phone user or for eavesdropping on outgoing calls," http://v3.espacenet.com/ publicationDetails/biblio?CC=EP&NR=1051053&KC=&FT=E.
30. OsmocomBB project, "OpenBSC," http://openbsc.osmocom.org/trac/.
31. OpenBTS, "GSM. Simplified." http://openbts.sf.net/.
32. E. Biham et al., "A Related-Key Rectangle Attack on the Full KASUMI," in ASIACRYPT, 2005.
33. W. Enck et al., "Exploiting Open Functionality in SMS-capable Cellular Networks," in ACM Conference on Computer and Communications Security (CCS), 2005.
34. J. Serror et al., "Impact of Paging Channel Overloads or Attacks on a Cellular Network," in ACM Workshop on Wireless Security (WiSe), 2006.
35. P. Traynor et al., "Mitigating Attacks on Open Functionality in SMS-capable Cellular Networks," IEEE/ACM Trans. Netw., vol. 17, no. 1, 2009.
36. R. Racic et al., "Exploiting MMS Vulnerabilities to Stealthily Exhaust Mobile Phone's Battery," in Security and Privacy in Comm. Networks (SecureComm), 2006.
37. 3GPP, "3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3G security; Security principles and objectives (Release 4)," 3rd Generation Partnership Project (3GPP), Tech. Rep., Mar. 2001.
38. M. Hassan et al., "Comprehensive Analysis of UMTS Authentication and Key Agreement," International Journal of Computer and Network Security, vol. 2, no. 2, 2010.
39. S. Pütz, R. Schmitz, and T. Martin, "Security Mechanisms in UMTS," Datenschutz und Datensicherheit, vol. 25, no. 6, 2001.
40. U. Meyer and S. Wetzel, "A Man-in-the-Middle Attack on UMTS," in ACM Workshop on Wireless Security (WiSe), 2004.
41. P. P. C. Lee et al., "On the Detection of Signaling DoS Attacks on 3G/WiMax Wireless Networks," Comput. Netw., vol. 53, no. 15, 2009.
42. B. Zhao et al., "A Chain Reaction DoS Attack on 3G Networks: Analysis and Defenses," in IEEE Conference on Computer Communications (INFOCOM), 2009.
43. P. C. Kocher et al., "Differential Power Analysis," in CRYPTO, ser. Lecture Notes in Computer Science, M. J. Wiener, Ed., vol. 1666. Springer, 1999.
44. J. R. Rao et al., "Partitioning Attacks: Or How to Rapidly Clone Some GSM Cards," in IEEE Symposium on Security and Privacy, 2002.
45. E. Mills, "Leaking crypto keys from mobile devices," http://news.cnet.com/8301-27080 3-10379115-245.html, 2009.
46. G. Bertoni et al., "AES Power Attack Based on Induced Cache Miss and Countermeasure," in Conference on Information Technology: Coding and Computing (ITCC), 2005.
47. B. Krebs, "Paris Hilton Hack Started With Old-Fashioned Con," May 2005, http://www.washingtonpost.com/wp-dyn/content/article/2005/05/19/ AR2005051900711.html.
48. P. Traynor et al., "On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core," in ACM Conference on Computer and Communications Security (CCS), 2009.
49. C. Xenakis, "Malicious Actions against the GPRS Technology." Journal in Computer Virology, vol. 2, no. 2, 2006.
50. F-Secure, "Bluetooth-Worm: SymbOS/Cabir," "http://www.f- secure.com/v-descs/cabir.shtml".
51. Symantec Security Response, "Androi-dOS. Tapsnake: Watching Your Every Move," 2010, http://www.symantec.com/connect/blogs/androidostapsnake- watching-your-every-move.
52. N. Seriot, "SpyPhone," 2010, "https://github.com/nst/ spyphone/".
53. R. Schlegel et al., "Soundminer: A Stealthy and Context-Aware Sound Trojan for Smartphones," in Network and Distributed System Security Symposium (NDSS), Feb. 2011.
54. J. Franklin et al., "An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants," in ACM Conference on Computer and Communications Security (CCS), 2007.
55. R. Thomas and J. Martin, "The Underground Economy: Priceless," USENIX; login:, vol. 31, no. 6, Dec 2006.
56. T. Holz et al., "Learning More About the Underground Economy: a Case-Study of Keyloggers and Dropzones," in European Conference on Research in Computer Security (ESORICS), 2009.
57. Kaspersky Lab, "First SMS Trojan Detected for Smart-phones running Android," 2010, "http://www.kaspersky.com/news?id=207576156".
58. L. Liu et al., "Exploitation and Threat Analysis of Open Mobile Devices," in ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS), 2009.
59. K. Singh et al., "Evaluating Bluetooth as a Medium for Botnet Command and Control," in Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2010.
60. Y. Zeng et al., "Design of SMS Commanded-and-Controlled and P2P-Structured Mobile Botnets," University of Michigan, Tech. Rep. CSE-TR-562-10, 2010.
61. M. Abu Rajab et al., "A Multifaceted Approach to Understanding the Botnet Phenomenon," in ACM SIGCOMM Conference on Internet Measurement (IMC), 2006.
62. F. C. Freiling et al., "Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks," in European Conference on Research in Computer Security (ESORICS), 2005.
63. Bugtraq, "Siemens M Series SMS DoS Vulnerability," Mar. 2003, http://www.securityfocus.com/bid/7004/.
64. T. Engel, "Remote SMS/MMS Denial of Service - "Curse Of Silence" for Nokia S60 phones," Nov. 2008, http://berlin.ccc.de/ ~tobias/cos/s60-curse-of-silence-advisory.txt.
65. C. Mulliner and G. Vigna, "Vulnerability Analysis of MMS User Agents," in Computer Security Applications Conference (ACSAC), 2006.
66. OMTP Limited, "Browser," Oct. 2007.
67. CVE-2007-0685, "Denial of Service for Internet Explorer on Windows Mobile 5.0 and Windows Mobile 2003 and 2003SE for Smartphones and PocketPC," Feb. 2007, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2007-0685.
68. C. Peikari, "PDA Attacks, Part 2: Airborne Viruses - Evolution of the Latest Threats," (IN)SECURE Magazine, vol. 4, Oct. 2005.
69. A. Shevchenko, "An Overview of Mobile Device Security," Sep. 2005, http://www.viruslist.com/en/analysis?pubid=170773606.
70. E. Eren and K.-O. Detken, Mobile Security. Hanser, 2006.
71. S. Töyssy and M. Helenius, "About Malicious Software in Smartphones." Journal in Computer Virology, vol. 2, no. 2, 2006.
72. V. Bontchev, "SymbOS Malware Classification Problems," in Virus Bulletin Conference, Aug. 2006.
73. McAfee, "Mobile Security Report," 2008, http://www.mcafee.com/ us/localcontent/reports/mcafeemobilesecurityreport2008.pdf.
74. J. Oberheide et al., "Virtualized In-Cloud Security Services for Mobile Devices," in Workshop on Virtualization in Mobile Computing (MobiVirt), 2008.
75. A.-D. Schmidt et al., "Static Analysis of Executables for Collaborative Malware Detection on Android," in IEEE International Conference on Communications (ICC), 2009.
76. -, "Detecting Symbian OS Malware through Static Function Call Analysis," in International Conference on Malicious and Unwanted Software (Malware), 2009.
77. J. Diaz, "How a 15-yo Kid Tricked Apple With a Disguised iPhone Tethering App," 2010, http://gizmodo.com/5592521/how-a-guy-tricked-apple- with-a-disguised-iphone-tethering-ap.
78. J. Cheng et al., "SmartSiren: Virus Detection and Alert for Smartphones," in International Conference on Mobile Systems, Applications and Services (MobiSys), 2007.
79. G. Portokalidis et al., "Paranoid Android: Versatile Protection For Smartphones," in Annual Computer Security Applications Conference (ACSAC), 2010.
80. L. Liu et al., "VirusMeter: Preventing Your Cellphone from Spies," in International Symposium on Recent Advances in Intrusion Detection (RAID), 2009.
81. H. Kim et al., "Detecting Energy-Greedy Anomalies and Mobile Malware Variants," in International Conference on Mobile Systems, Applications, and Services (MobiSys), 2008.
82. N. J. Percoco and C. Papathanasiou, "This is not the Droid you're looking for⋯" in Defcon 18, Aug. 2010.
83. J. Bickford et al., "Rootkits on Smart Phones: Attacks, Implications and Opportunities," in Workshop on Mobile Computing Sys. and Appl. (HotMobile'10). ACM, 2010.
84. M. Jakobsson and K.-A. Johansson, "Retroactive Detection of Malware With Applications to Mobile Platforms," in USENIX Workshop on Hot Topics in Security (HotSec), 2010.
85. S. M. Habib et al., "An Analysis of the Robustness and Stability of the Network Stack in Symbian-based Smartphones," Journal of Networks, vol. 4, no. 10, 2009.
86. W. Enck et al., "On Lightweight Mobile Phone Application Certification," in ACM Conference on Computer and Communications Security (CCS), 2009.
87. M. Ongtang et al., "Semantically Rich Application-Centric Security in Android," in Annual Computer Security Applications Conference (ACSAC), 2009.
88. A. P. Fuchs et al., "SCanDroid: Automated Security Certification of Android Applications," 2010.
89. W. Enck et al., "TaintDroid: An Information-flow Tracking System for Realtime Privacy Monitoring on Smartphones," in USENIX Symposium on Operating Systems Design and Implementation (OSDI), 2010.
90. M. Egele et al., "PiOS: Detecting Privacy Leaks in iOS Applications," in Network and Distributed System Security Symposium (NDSS), Feb. 2011.
91. Y. Niu et al., "iPhish: Phishing Vulnerabilities on Consumer Electronics," in USENIX Workshop on Usability, Psychology, and Security, 2008.
92. A. Whitten and J. D. Tygar, "Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0," in USENIX Security Symposium, 1999.
93. S. Furnell et al., "The Challenges of Understanding and Using Security: A Survey of End-Users," Computers & Security, vol. 25, no. 1, 2006.
94. L. Cranor and S. Garfinkel, Security and Usability: Designing Secure Systems That People Can Use. O'Reilly Media, 2005.
95. S. L. Garfinkel, "Design Principles and Patterns for Computer Systems that are Simultaneously Secure and Usable," Ph.D. dissertation, Massachusetts Institute of Technology, Cambridge, MA, USA, 2005.
96. S. Furnell, "Why Users Cannot Use Security," Computers & Security, vol. 24, no. 4, 2005.
97. -, "Making Security Usable: Are Things Improving?" Computers & Security, vol. 26, no. 6, 2007.
98. P. Kuper, "The State of Security," IEEE Security & Privacy, vol. 3, no. 5, 2005.
99. S. Görling, "The Myth of User Education," in Virus Bulletin Conference, Oct. 2006.
100. J. Nielsen, "Ten Usability Heuristics," 2005, http://www.useit.com/papers/heuristic/heuristiclist.html.
101. B. Shneiderman and C. Plaisant, Designing the User Interface: Strategies for Effective Human-Computer Interaction, 4th ed. Pearson Addison Wesley, 2004.