IT’S BEEN MORE THAN A DECADE since the first recognized occurrence of malware that specifically targeted a mobile phone in 2004. The malware, called Cabir, was released, not into the wild, but to antivirus software developers. This was primarily as a proof of concept that mobile phone operating systems such as Symbian were not invulnerable to the malware that plagued PCs.
Despite this head start, little was done to address this issue. By 2012, malware had become a significant problem. Not surprisingly, the rapid growth in the last several years of malware targeting one or another smartphone operating system (OS) has matched the huge growth in the use of smartphones and tablets. Although malware developers have focused especially on the growth in market share of Android OS devices, that doesn’t mean the operating systems and phones made by other smartphone manufacturers are secure. Apple iOS and Windows Phone are also targeted, making them susceptible to malware and other mobile phone–specific threats that now pervade the mobile environment. This chapter looks at the vulnerabilities of each of the major mobile OSes as well as other issues that increase risk.
Chapter 11 Topics
This chapter covers the following concepts and topics:
• What general threats and vulnerabilities exist for mobile phones
• What exploits, tools, and techniques exist for mobile phones
• What security challenges exist with Google Android smartphones
• What security challenges exist with Apple iOS smartphones
• What security challenges exist with Windows Phone smartphones
When you complete this chapter, you will be able to:
• Describe the security challenges specific to smartphones and tablets
• Describe the vulnerabilities and exploits of mobile operating systems
• Explain why the Android model is prone to exploits
• Describe the Android security architecture
• Describe the Apple iOS security architecture
• Describe the Windows Phone security architecture
• Understand how open or restricted access to applications affects user security
Mobile Phone Threats and Vulnerabilities
OS vendors must contend with more than merely identifying and mitigating threats. First, patches and fixes must be made available for a whole array of devices. Second, there may be a lack of security awareness among end users. Unaware of the risks involved, or simply not knowledgeable about the need for accepting software updates, a significant number of end users do not regularly download and install available security patches. Consequently, cybercriminals have found attacks on mobile phones an attractive and lucrative proposition.
Attacks on mobile phones are growing each month as cybercriminals shift their focus from PCs to mobile devices. In 2013, Sophos, a security firm, discovered 1,000 malware samples that targeted Android devices each day. By 2014, that figure had risen to 2,000 samples per day. This acceleration is consistent with other OSes.
Malware is not the only security challenge. Cybercriminals also focus on other attack vectors for mobile phones, such as OS attacks, side-loaded mobile applications (those downloaded from unauthorized third-party sites), and communication attacks. In addition, due to a lack of awareness on the part of end users, system updates often do not get installed (exposing the device to exploits), mobile browsing vulnerabilities exist, and data is not stored in a secure manner. Furthermore, interfacing with other trusted devices such as a PC through a USB or Bluetooth connection brings additional threats, such as USB exploits and USB hijacks. Even new OS features can introduce further attack vectors. For example, a single swipe with a near-field communication (NFC) tag can reveal financial information stored on the device.
In addition to the fact that large numbers of people now use smartphones, cybercriminals are attracted by the inherent weaknesses of mobile devices. Vulnerabilities can be the result of poor technical controls, lack of user awareness, and poor practices. As with any Wi-Fi–enabled device, data communications are an obvious vulnerability, but there are also major security concerns with side-loaded applications that are not approved, certified, or verified by the OS vendor. Moreover, it is not just unsecure application software that can prove to be a vulnerability. The OS on which the phone runs can also be a major source of security issues. Typically, this is more of an issue on Android devices due to the open source nature of the OS itself.
In addition to OS and application vulnerabilities, the login and authentication of the end user can be problematic as well. Although mobile phones often have security measures to enable the use of passwords, personal identification numbers (PINs), or even biometric tools such as fingerprint readers, end users often disable them or enable only the most basic form such as the four-digit PIN. Using a simple PIN rather than something more complicated makes the phone far more convenient to use, but it also renders the device less secure if it is lost or stolen. In such cases, the person who finds the phone may gain access to the data stored on the device. The unsecure storage of confidential data is therefore another potential weakness.
Something else to consider is the size of smartphones. Although this has been mitigated somewhat by the growth in screen size, smartphones are still small relative to PCs and laptops. Hackers often take advantage of this fact in their attempts at phishing. Because the full URL of a Web site cannot be seen clearly on a smartphone screen, it makes them particularly vulnerable to phishing attacks.
NOTE
One could argue that only the most security-conscience users bother to match the URL of a link to the name presented in the text of an e-mail message—by using a mouse-over function or by right-clicking the link—before clicking on it. In this view the risk from phishing on a smartphone is no worse than on PCs and laptops.
These vulnerabilities are a concern for all mobile smartphones and tablets regardless of OS. However, as mobile phones have become pervasive items for personal and business use—with penetration percentage rates reaching the high 90s and above in some countries—users’ security awareness has become a major issue. As a result, there has been much debate in recent years regarding the wisdom of people using their smartphones for both business and pleasure. Unfortunately for security teams, the perceived productivity and employee-satisfaction gains have trumped the legitimate concerns about the increase in risk that these devices and their inherent vulnerabilities represent. Consequently, cybercriminals around the world—particularly in Russia, Eastern Europe, and China—have launched massive attacks targeting smartphones (particularly Android phones) based on the dual promise of exploiting users and finding new pathways into very lucrative corporate networks.
Exploits, Tools, and Techniques
Every mobile phone—even those featuring the early, yet secure, Symbian OS—is vulnerable to basic forms of cyberattack. The early threats and vulnerabilities that come about from communication channels such as Short Message Service (SMS), Multimedia Message Service (MMS), Wi-Fi, and Bluetooth have always been a problem. With the advent of the smartphone, the scope of the risk has grown to encompass all forms of Internet threats including browser attacks, OS attacks such as remote jailbreaking (a method of circumventing provider-based security), remote access Trojans (RATs), rootkits, and the myriad types of malicious software already in the wild for PCs.
Mobile phone vulnerabilities and exploits can be categorized as shown in Table 11-1.
Although Wi-Fi and Bluetooth have real-world vulnerabilities, these vulnerabilities are not specific to smartphones or tablets. That is, they apply to any mobile device or Wi-Fi–enabled PC or router. What is specific is the way cybercriminals have developed smartphone-specific OS malware.
The vast majority of malware attacks developed between 2012 and 2014 target the Android operating system. This is not only due to Android’s popularity, but also because of its security model. Malware is not the only thing showing explosive growth in the Android ecosystem. Another threat, potentially unwanted applications (PUAs), is also thriving.
Developers create PUAs in an attempt to monetize their applications through connections to aggressive third-party advertising networks. These are sometimes referred to as mobile adware, or madware. On behalf of these third-party advertisers, the madware collects location information and tracks the device, perhaps even harvesting browser histories and contacts. Although PUAs are not strictly malware, their categorization is becoming a grey area because they introduce security risks along with the sometimes-unwanted third-party advertising. Some examples of Android PUAs are AirPush, Adwo, Dowgin, Kuguo, and Wapsx. The use of PUAs is growing exponentially within the Android realm. They are still only a fraction, however, compared with the vast ocean of Android-specific malware.
Google Android Security Challenges
The same year that Apple introduced the iPhone (2007), another technology giant, Google, announced its interest in the mobile phone market through the acquisition of a startup company named Android. Google’s interest in acquiring the company and in delivering an open source, Linux-based mobile phone operating system raised many eyebrows. Technologists viewed it as an interest in acquiring market share and as a direct challenge to Apple and Microsoft.
Although Android was originally developed as a digital camera interface to work with touchscreen mobile devices such as smartphones and mobile tablets, Google developed it further. This development quickly led to Android becoming the most popular OS for a variety of devices—not just mobile phones, but also tablets and game consoles. The first Android phone to become commercially available was the HTC Dream, which was unveiled in 2008.
Android benefited from the open source model. This model attracts an enormous number of community programmers and developers, who continually add features and functions desired by the public. This offers a huge advantage over closed systems, such as those used to develop Apple iOS and Windows Phone, where upgrades and features are added only if they are deemed financially viable, and then by a single team that may be competing for internal resources and priorities within the company. The open source model allows for rapid, multi-threaded development driven by customer demand. Many apps are developed, with the popular ones attracting more developers and enjoying rapid innovations and updates.
For this reason, Android-powered mobile phones have dominated the market, despite the popularity of the Apple iPhone. (This is despite the lukewarm reception upon the Android’s launch, with companies such as Nokia and Microsoft scoffing at its relevance.) Furthermore, the adoption of the Android OS by Samsung, HTC, and many other vendors has made it the dominant OS in the mobile phone market. It is likely to stay that way, even though most vendors now deliver a mixture of open source and proprietary software.
Despite the fact that Android has focused on building a secure architecture, it is not free of vulnerabilities and threats. Far from it. If you believe the research conducted by antivirus companies, security threats on Android devices are growing at an exponential rate. (Google denies this, claiming that malware threats are rare.) More worrying is that in September of 2013, both the U.S. National Security Agency (NSA) and the British intelligence Government Communications Head Quarters (GCHQ) stated that they had gained access to user data on iPhone, BlackBerry, and Android devices. This was because many popular applications collect personal data and transmit it unsecurely across the Internet. Usually, this information is used for advertising and marketing purposes, but that does not mean that it cannot be (or is not being) used for more sinister aims.
FYI
Different phone providers offer different versions of the Android OS (an inherent risk in any open source model)—although they are all based on a common core OS, which is managed by Google. From a security perspective, managing multiple versions of the OS is more difficult than managing a single version. This is not an insurmountable problem, however.
Google Android receives a lot of criticism from security experts due to the dangerous combination of its increasing popularity and its vulnerability to attacks. That being said, although Android is fundamentally open source, an Android OS implemented by a reputable manufacturer (which modifies, tests, and packages the code for its own means) is no more or less vulnerable to malware attacks than other systems—as long as end users show some awareness of the potential security vulnerabilities brought about by rooting their devices. Rooting an Android device gives users privileged control (root access) and the ability to download and upload any software they wish, including security updates, even from third parties. This is great for tech-savvy users who are diligent about security, but it provides cybercriminals with a way to prey on those who are not security literate.
The most lucrative targets for cybercriminals are those who are naïve, are gullible, or just don’t want to spend the money for genuine applications rather than download so-called “free apps.” In particular, cybercriminals have targeted Android by developing malware that is delivered to the end user via Trojans. This has proved to be an effective delivery mechanism. Typically, the malware payload is bound to an existing genuine application, such as the popular game Angry Birds, which is then made available free of charge on pirate sites such as Pirate Bay or on peer-to-peer (P2P) software sharing sites. The unsuspecting end user downloads the “free” software and installs it along with the Trojan. In the end, the $1.99 saved by downloading the pirated version can cost the end user thousands of dollars—not to mention a great deal of time and stress—if the hacker successfully uses the malware to access the user’s bank accounts or credit card numbers.
TIP
If you use your Android device as designed and download only applications from Google Play (discussed later in the chapter), then there is little chance of your device being infected by serious malware from legitimate application sites.
Android Exploitation Tools
Android is an open source form of a widely used version of Linux. Because of this, there are many tools available that developers and programmers can use to decompile, analyze, and study Android OS code and applications. The people who use these tools may be good guys who seek to identify malicious or otherwise problematic code. Or, these same tools may be used by cybercriminals to exploit known vulnerabilities and create their own malware.
FYI
One of the great myths of open source software is that because many people study the code, the chances that a bug will go unnoticed for a considerable amount of time are decreased. This myth has been disproved by the recent Heartbleed vulnerability, which was a huge hole in the security code in very popular open source applications. This vulnerability existed for more than a decade and was not widely known until it was publicly disclosed in 2014.
The tools available for evaluating and exploiting security issues with Android include the following:
• AndroRAT—This tool, which can be bound to other applications, can read messages and contacts, steal data, view video, record calls, and more. This full framework of open source tools is freely available and is constantly updated.
• Android SDK—The Android software development kit (SDK) is the official Android development tool. It enables developers to compile and decompile applications for Android. This is an essential development or research toolkit.
• DroidBox—Another application for analyzing Android applications, DroidBox can check for password hashes, check files for read/write data, and record incoming and outgoing communications (SMS messages and phone calls), among other things.
• Android Framework for Exploitation—This tool can scan the network, looking for security issues and vulnerabilities on Android devices.
There are many more open source tools available to both secure and exploit Android devices. The fact that Android is built on open source code is both its strength and its weakness. However, the applications that run on the Android architecture are easily viewable, and can be analyzed, verified, or modified without difficulty. To gain this capability, all that is required is to download the Android SDK and decompile the code. It is then very simple to modify the code or use tools such as AndroRAT to create “test” code that binds to legitimate applications and will circumvent anti-malware software detection.
Android Security Architecture
Android is an open mobile platform built on a robust security architecture. This architecture was designed to ensure the protection of users, data, applications, and devices by providing a secure development environment. The Android approach is to build multilayer security for an open architecture while providing flexibility and protection for users of the platform. However, Android does have developers’ interests in mind, and has tried to reduce the burden on application developers by introducing many security controls that can be implanted into software.
The Android security platform controls and features include the following:
• Security at the OS Linux kernel—This ensures that native code is constrained by the application sandbox.
• Mandatory sandboxing of applications—This prevents applications from interacting with each other and limits access to the operating system.
• Secure inter-process communication—This provides standard and secure mechanisms for accessing file systems and other resources.
• Digital signing of applications—This identifies application authors and deters or prevents malware.
• User-granted application permissions—These require applications to obtain express permission from users before accessing resources such as camera functions, contact lists, or GPS.
The Android software stack contains the security measures required to secure applications, with each layer assuming that the components lower in the stack are secure. The top layer is the application layer, which hosts device-based applications such as the dialer, SMS/MMS, browser, camera, and so on. Below that are the application frameworks, which are the services provided. These include the activity manager and the package manager, among others. Below the frameworks are the libraries and the Android runtime virtual machines. This layer is built on the Linux kernel, which provides inter-process communications control and ensures that even native code is constrained by the application sandbox.
Android Application Architecture
Because Android is an open source platform, every application created for Android devices consists of essential building blocks. Therefore, every application can be decompiled and reviewed as blocks of source code. This is made easier because Android consists of basic software components that make up each application. These components are as follows:
• Activity—This is a user interface whereby a user can enter data or interact with the application in some other way.
• Service—A service performs operations in the background—for example, playing music.
• Content providers—These provide information to third-party applications. A content provider can be seen as an interface that processes data in one process and feeds it to another independent process.
• Broadcast receivers—These respond to systemwide notifications such as “battery low” or “microphone unplugged.” The OS normally initiates these notifications or broadcasts, but trusted applications can also issue broadcasts.
Google Play is the digital distribution platform for Android applications. It was launched in 2012 through the merger of Android Market and Google Music. As a result, Google Play is not just an application store but also offers a broad catalog of other products, such as music, books, magazines, games, movies, and TV shows.
Google Play provides a market for users to browse Google and third-party applications for Android devices. Google Play does not, however, install these applications. It merely downloads the application as a package. The PacketManagerService on the device then opens to perform the actual installation in the device’s internal storage.
Google does have an approval process for apps. As a result, some restrictions do apply to third-party applications. Google also uses application security techniques such as running an automated antivirus program called Google Bouncer against all uploaded applications as part of the vetting process to remove malicious applications. Another security feature in Google Play displays all the permissions required by an application before it is installed. In theory, this should warn the user of an application’s intentions. The user can review the permissions requested and check whether they are suitable or compatible for the type of application. The user can then decide whether to install the application or not.
Google Play is not restrictive. That is, Android device owners are free to access applications from other sources. Therefore, Android devices can download applications from any third party, or even side-load applications from a developer’s or corporate Web site. This lack of restriction is in contrast to the walled garden of Apple and Microsoft. (A walled garden is any environment that controls the user’s access to Web content and services. In the case of Apple and Windows, it refers to their authorized enterprise portals, which are the only sources for downloading applications to Apple iOS or Windows Phone devices, respectively.) Rooting, the process of circumventing these restrictions, is also called jailbreaking.
NOTE
Rooting is also done to allow phones to be used on switch carrier networks other than the one with which they were originally associated. (Carriers often subsidize the cost of a phone and lock the phone to their own network.)
Apple iOS Security Challenges
The introduction of the iPhone in 2007 changed the mobile phone landscape. The arrival of the original iPhone, which was more of a handheld computer with a large touchscreen than merely a phone, sparked changes in mobility, computing, photography, and independent software development, to name just a few areas. Its operating system, called iOS, ran a Safari Web browser and offered built-in Wi-Fi and Bluetooth in addition to traditional mobile communications.
The iPhone was one of the most disruptive devices of the new century. It certainly transformed the way we benchmark mobile phones and even the way we work and play. From a security aspect, however, it opened up a whole new way of thinking. The iPhone, along with the other smartphones that were to follow, was not simply a mobile telephone, but a complex computer in a miniaturized format that carried with it a treasure trove of user information beyond what any other device had ever held.
When the iPhone was launched in 2007, and followed a year later by the iPhone 3G, it was clear that it would change the way people interacted with technology. The public embraced this change. Suddenly, mobile data and Internet, along with Web access from a mobile phone, became hugely popular. Indeed, it was so successful that within a few years, data usage levels skyrocketed and Internet access on mobile devices became the norm.
It’s debatable whether the iPhone sparked the widespread adoption of smart devices or if the iPhone (and, later, the iPad) simply happened to appear at just the right time. Previous attempts at smartphones and tablets had failed due to a lack of applications and connectivity. Perhaps the difference-maker was the creation of the App Store, where users could download thousands of Apple-approved third-party applications. This was a major divergence from previous strategies pursued by the likes of Nokia, BlackBerry, Windows, and even Apple, and it sparked massive user interest and demand.
Before this, manufacturers of so-called smartphones made the development of third-party applications as difficult as possible for independent and small software houses. In contrast, Apple actively encouraged independents to develop applications for its product, resulting in a huge repository of applications available from the App Store. This freed Apple from having to guess which applications would be profitable from a development standpoint. It also kicked off a modern-day gold rush, as developers of popular apps became millionaires overnight.
Unlike Android, Apple iOS is closed source and follows a walled garden philosophy. That is, only verified applications from the App Store are available for download. From a development standpoint, this has made the iOS less attractive to cybercriminals. Indeed, to download or side-load unauthorized applications, the user must jailbreak the device, at which point Apple can claim innocence of any damage caused by attacks. From Apple’s perspective, the walled garden approach is the more secure choice—and many security pros agree.
FYI
The App Store is something of a double-edged sword. On one side, it makes it easier to secure applications and prevent unauthorized downloads from third parties. This limits the iPhone’s vulnerability to malware. Some view this as too restrictive, however—a problem that has been exacerbated by Apple enabling service providers to lock devices to work only on their networks. (This was because service providers were heavily discounting phones purchased with a service agreement.) The result was that users found ways to jailbreak the iOS security features, which of course opened phones to attack. Unfortunately, jailbreaking devices has become very popular. Some users feel limited by the fact that they can only download Apple-verified applications through the App Store. Many want the freedom to download or even build their own applications.
Apple has one more security advantage over Android: It typically releases only one new phone per year. In contrast, Android devices (which use open source software) are released by the hundreds. Apple has pushed BlackBerry aside in the corporate boardroom battle and has managed to keep Samsung’s Galaxy, an Android device, at bay in corporate settings (at least for now).
Like the Android OS, the Apple iOS operating system has a component-layered model. The layers consist of the following:
• System architecture—This involves the OS platform and hardware used to protect the iOS device. It also relates to sandbox testing and application isolation. It includes a secure boot-chain, system software authorization, a secure enclave, and touch ID.
• Encryption and data protection—These are the techniques used to safeguard against theft. They include file data protection, passcodes, keychain data protection, and more.
• Network security—These are the techniques used to protect data when it is transmitted across the open Internet. They include Secure Sockets Layer (SSL) and Transport Layer Security (TLS) security.
• Application security—This includes digital authentication and verification, runtime process security, data protection within applications, sandboxes, and service isolation.
• Internet services—These include iMessage, FaceTime, Siri, and iCloud.
• Device access—These are the basic security tools such as passwords, PINs, remote wipe, mobile device management (MDM), and even remote access tools.
A key consideration with the iPhone was how it could be secured against theft or loss. After all, the mobile device held private user data, such as account information and passwords. For this, access control is always a good starting point. To that end, the iPhone had a password lock. In addition, it used many other access control techniques, such as application permission requests, which are similar to the permission per process control in Android.
Apple iOS Exploits
Although this chapter has stressed vulnerabilities in Android, the Apple iOS and Windows Phone also suffer from them. For example, in 2014, cybercriminals took advantage of a vulnerability in the Find My iPhone application to perform brute-force attacks on passwords for celebrity accounts on Apple iCloud. This enabled the attackers to steal the celebrities’ stored personal data and photos. Fortunately for celebrities (and the rest of us), Apple has since distributed a patch to lock out failed password attempts to prevent cybercriminals from stealing people’s personal information.
Following are a few examples of vulnerabilities found in Apple iOS. None of these were fatal or created excessive risk, but they do illustrate that iOS does have vulnerabilities.
• Due to vulnerabilities in 802.1X, a cybercriminal could impersonate a Wi-Fi access point.
• A flaw in iOS enabled cybercriminals to gain access even to sandbox applications to retrieve data from an iCloud account.
• A logic issue existed that prevented the screen from locking.
• The address book used in iOS was vulnerable due to poor encryption.
• Cybercriminals could write to the /tmp directory and install unverified applications.
• Cybercriminals could spoof the validation of updates and developer certificates. In the case of the latter, forging these certificates or obtaining them on the black market enables a cybercriminal to bypass Apple’s App Store validation process. By forging these digital certificates, a cybercriminal can produce an application that bypasses all permissions and gains access to trusted features without having to prompt the user for permission.
• Bluetooth was unexpectedly enabled by default, creating a host of security issues.
• Because of a vulnerability in the graphics engine, a maliciously crafted PDF file could lead to application crashes.
• In iMessage, attachments may persist even after being deleted, which could expose sensitive information that was assumed to no longer be present. In newer versions, additional checks are done to ensure attachment deletion.
What is more, Apple created applications, such as IOKit, for those developing device drivers and applications. In the right hands, these tools are a boon for development. But unfortunately, they are also a godsend to cybercriminals.
NOTE
Although Apple issued patches with iOS 8.1 to fix many vulnerabilities, many new vulnerabilities are exposed with each new OS release. And of course, these fixes are relevant only if users update their software—and many do not.
Another security issue was the iOS operating system’s support for Web browsing. Although Web browsing became a common feature, it had the same dangers and vulnerabilities with mobile devices as with PCs. The iOS 4 release brought additional security and management features, which were greatly enhanced to permit granular policy control of the device. This was a prerequisite to gaining widespread corporate adoption. Nonetheless, cybercriminal attacks involving the Web browser have evolved from simple e-mail phishing to falsely rendering Web browsers to execute scripts of their own. An example of this was the JailbreakMe tool, which took advantage of flaws in the Safari Web browser to jailbreak iOS devices.
A significant threat to iOS devices is the risk of iOS surveillance—more specifically, mobile remote access Trojans (mRATs). This attack route focuses on jailbroken devices that have had all their security mechanisms removed. Of course, after security has been circumvented, it is easy for a cybercriminal to gain control of a device. After the cybercriminal has achieved this, he or she has access to all the features and data on the phone, including the ability to delete data and take pictures and videos.
Similarly, Apple employs a permission model to secure features and mechanisms. It does this through an iOS profile. If a cybercriminal can forge or fake this profile, that person can gain control of all the features of the phone. All that is required is to persuade the user to download a fake profile. This loads a rogue configuration, rendering the phone open to remote control.
Apple iOS Architecture
The iOS architecture is a layered model. At the highest level, iOS can be considered an intermediary between the underlying hardware and the applications running on the device. Applications do not talk directly to the hardware but rather go through the iOS and device drivers. Therefore, the iOS operating system is built on several layers that stack on each other, providing more sophistication at each subsequent layer. From the top down, the layers are as follows:
• Cocoa Touch Layer—This higher-level layer provides a level of abstraction from lower levels. It is where application development occurs. This makes it much easier to write code, as it reduces the amount and complexity of the code.
• Media Layer—This layer contains the graphics, audio, and video technologies used to implement multimedia features in applications.
• Core Service Layer—This layer underpins the system services that applications require. It also supports technologies such as iCloud, social media, and networking.
• Core OS Layer—This layer contains the low-level features that are the foundation of all the higher layers and their features.
To assist developers, Apple has supplied a developer library. It contains application programming interface (API) references, programming guides, and many sample code blocks. The lesson for end users is that to remain secure, they should use the App Store to download applications. Apple has created this marketplace for developers to upload and sell verified applications on which end users can rely.
The App Store was launched in July 2008 with a library of 500 applications. These were a mixture of business applications and games, 25 percent of which claimed to be free. At the time of this writing, the App Store boasts more than 1,000,000 apps and has had in excess of 75,000,000,000 downloads since its launch.
The App Store is a digital distribution platform run by Apple for mobile apps developed for the iOS mobile operating system. The platform provides a repository of applications developed with Apple’s SDK. Users can browse these apps and download them directly to their iOS device. The App Store is the only authorized source for third-party applications for iPhones, iPods, and iPads. Apple maintains the App Store and monitors the quality of the applications uploaded by developers. These applications can be offered free or sold for a price, in which case Apple takes 30 percent of the revenue and the developer is paid the remaining 70 percent. Many so-called “free” apps have in-app revenue sources or pull in advertising revenue from other vendors.
By hosting the App Store, Apple was able to create a vast marketplace for trusted third-party apps. This gave their devices a distinct advantage over competitors such as Microsoft and BlackBerry. Apple approves applications before they are uploaded to the App Store by using basic reliability testing and code analysis. Additionally, Apple rates applications based on content and determines appropriate age groups and categorization.
Because the App Store was designed for consumers, it left business users unable to download or upload their in-house applications to their employee devices. Apple resolved this issue with an extension called the Enterprise App Store, which enabled businesses to publish these applications using the Apple iOS Developer Enterprise Program. These applications are still subject to Apple’s control and Apple can terminate the application on the user’s device simply by revoking the application’s certificate, known as Apple’s “kill switch.”
Despite Apple’s original vision of a global marketplace for iOS applications, national laws and regulations have resulted in the launch of many different App Stores. Furthermore, there are restrictions whereby users can only use the App Store that caters to the country in which they are registered.
Windows Phone Security Challenges
The Windows Phone OS was the replacement for the Windows Mobile 6.5 OS. Although the Mobile 6.5 OS did not achieve huge market share, it was very business oriented. In fact, it was developed for that purpose. The Mobile 6.5 OS had very strong and granular permissions and features that could be controlled by a user or administrator. Unfortunately, its successor, Windows Phone 7, had none of these security and management features required by business network administrators. This was rectified in Windows Phone 8, however. Windows has now added security and management features comparable to the iPhone iOS.
Microsoft security is notoriously very strong, and the Windows Phone OS is no exception. It uses the same update/patch approach as all other Windows products. Additionally, Windows Phone OS is less likely to be jailbroken than iOS due to the diversity of devices on which it runs. Consequently, exploits on the Windows Phone OS are typically due to breaches of trust rather than breaches of internal security. This is because applications must ask for permission to access phone functions as they use them rather than just at startup. Therefore, the user always has the option to deny the request.
Ironically, the fact that Windows Phone has low market share (and high programming complexity) means it is not an attractive target for cybercriminals compared with Android. As a result, Microsoft can proudly claim to have a negligible amount of successful malware attacks. This is the reverse of the security issues on Windows and Apple computers.
Windows Phone Security Architecture
Windows Phone 8 has a large number of security controls to protect third-party applications. The system is heavily compartmentalized, using a sandboxing approach to applications. This prevents them from interacting with one another. File and protocol handlers exist to assist in app-to-app communication in cases where it is needed, but the interaction remains limited.
In addition, there are other mechanisms for protecting data storage on the device itself. For example, Windows Phone 8 uses BitLocker disk encryption to protect not only the storage areas but also the isolated data storage compartments that applications use.
Windows Phone Architecture
Like iOS, Windows Phone 8.1 is a closed system. The underlying OS code is not available to developers. Only APIs are used along with the Windows development kits. Windows Phone 8.1 is based on the Windows NT kernel and is a stripped down Windows system that boots, manages hardware and resources, authenticates, and communicates just like any other Windows device. It also contains low-level security features and network components. Where Windows Phone 8.1 differs is that it contains additional mobile phone–specific binaries that form the Mobile Core.
The architecture itself is a layered model. Applications run on top of an operating layer, which provides the services and programming frameworks that applications can use to create the user experience. Below the operating layer is the system kernel, which controls the file/system and storage, input-output (I/O) manager, memory manager, and networking and security functions. Below the kernel are the device drivers, which talk directly to the original equipment manufacturer (OEM) hardware. Developers use the Windows Phone SDK 8.0, which contains tools and emulators necessary to create applications that run on the OS.
NOTE
Unlike Apple and Android, Microsoft uses one OS for phones and another for tablets.
Windows Store is the successor to Windows Marketplace, which was Microsoft’s online software storefront. Windows Store was launched in 2012 with Windows 8. It was designed to provide a platform for users to browse and purchase Windows applications and what used to be called “metro-style apps.” Microsoft design guidelines require apps to be tightly sandboxed and constantly monitored for quality, compliance, and security.
Windows Store is the digital distribution platform for Windows applications. It is the primary method for distribution of metro-style apps. Microsoft scans apps for security issues and flaws and to detect and filter malware. Similar to Apple, Microsoft has taken the walled garden approach. Windows Store is the only source of authorized applications.
Windows Store provides a marketplace for users to browse for Windows Phone applications and for third-party developers to showcase their products. For developers, Microsoft provides a portal and tools for tracking sales, financials, adoption, and ratings via a developer dashboard.
Microsoft sees the development of Windows Store as strategic, viewing the lack of external applications as one of the factors restricting the adoption of Windows Phone. The development of Windows Store is believed to be key to making up ground with Google Play and the Apple App Store. Currently, Windows Store offers more than 170,000 applications available for download, with games, entertainment, books, and reference being the largest categories.
The rapid growth of smartphones and tablet sales since 2007 has proven to be an excellent opportunity for cybercriminals. Not only has it provided a vast array of new attack routes, it has also allowed them to focus on potentially affluent victims. Additionally, these new devices and technologies have become the primary form of Internet browsing and communication. Increasing numbers of smartphone users are taking advantage of their devices to conduct e-commerce and mobile banking, as well as using their phones as mobile wallets. More a lifestyle tool than merely a phone, these devices contain valuable personal and financial information such as bank or credit card details.
While the Android operating system is the most targeted due to its open source nature and multi-threaded versions, all the major mobile operating systems, including Apple iOS and Windows Mobile, have proven to be either directly vulnerable or susceptible to vulnerabilities based on user actions and third-party applications. In addition to these platform-specific vulnerabilities, all smartphones are vulnerable to the same browser-based vulnerabilities that plague laptops and PCs.
Compounding the security issue is the fact that thanks to new technologies, users require time to become familiar with the device and the security best practices that can help mitigate risks. It also takes time and experience for the manufacturers of these devices to become aware of security vulnerabilities and to take steps to fix them.
KEY CONCEPTS AND TERMS
International Mobile Station Equipment Identity (IMEI) number
Madware Mobile remote access Trojans (mRATs)
Potentially unwanted applications (PUAs)
Remote access Trojans (RATs)
Rooting
1. The Android OS is less susceptible to attacks than Apple iOS and Windows Phone because it is based on an open source model.
A. True
B. False
2. Compared to PCs, mobile devices have which of the following?
A. Less risk, because they are moving targets
B. More risk, because they are subject to all the same exploits and many of their own issues
C. The same amount of risk as non-mobile devices
D. Less risk, because they are newer
3. Potentially unwanted applications (PUAs) are used for which of the following purposes?
A. To create competition in Google Play
B. To monetize applications through connections to aggressive third-party advertising networks
C. As a category for low-rated applications
D. To clean up memory on phones
4. The open source nature of Android results in which of the following?
A. Better security
B. Fewer code releases
C. Consistent software versions among vendors
D. Rapid, multi-threaded development driven by customer demand
5. Google Play displays all the permissions required by an application before it is installed. This warns users of all the services the app will use before installation.
A. True
B. False
6. Apple’s security-based decision to restrict the downloading of apps to those in its App Store is one of the reasons people jailbreak phones, which is one of the biggest security problems in iOS.
A. True
B. False
7. Which of the following is the key difference between the Android and Apple iOS security approaches?
A. Open source models are more secure.
B. Apple uses a walled garden approach, requiring all apps to go through its system.
C. Google Play lacks security checks.
D. Google uses a walled garden approach, requiring all apps to go through its system.
8. Why are Windows Phones less likely to be jailbroken?
A. People don’t really care.
B. The OS is offered on a wide variety of devices, giving people more options.
C. The code design makes it harder to achieve.
D. There are no third-party applications available.
9. Windows Phone’s sandboxing approach does not allow apps to directly interact with each other.
A. True
B. False
10. The Heartbleed vulnerability, which existed for years before it was discovered and publicly disclosed, illustrated which of the following?
A. Developers are lazy.
B. Open source code is not secure.
C. Bugs will always exist in complex code, no matter how diligent developers are.
D. Hackers are slow to exploit vulnerabilities.