Download Dan A CSC 345 Term Paper

Daniel Adams
Dr. Box
CSC 345
24 April 2014
Mobile Operating Systems and Their Security
Operating systems allow users to be able to interact with computer hardware.
Hardware has advanced and evolved into many form factors, notably into smaller, more
mobile forms. Mobile devices are quickly growing in number and functionality. It has now
become the exception rather than the norm to not own a smartphone. Users now have
access to more and more features and functionality, which requires a more complex
operating system. Included in these features are some sort of security used by the
operating system to protect the device. This paper will include a brief history of mobile
operating systems and a discussion of mobile security.
For the purposes of this paper, a mobile device is defined as a smartphone, tablet, or
PDA. The first mobile operating system was Palm OS. Developed by Palm Inc. and released
in 1996, Palm OS gave users a graphical interface to control their PDAs. It provided a few
apps, but no file system; everything was loaded into RAM. Windows CE, a version of
Windows for embedded systems, was also released in 1996. Three years later, in 1999,
Nokia released its mobile operating system, Series 40, on the Nokia 7110, the first phone
with a WAP web browser. In 2000, the Ericsson R380 was released running Symbian. This
phone is referred to as the first smartphone, as it combined the functionality of a cell phone
and a PDA. More companies began releasing smartphones shortly thereafter, with the
Kyocera 6035 running Palm OS in 2001, and Microsoft and BlackBerry releasing their first
smartphones each with their own unique operating systems. The next big step in mobile
operating systems happened in 2007 with Apple’s release of the iPhone and iOS. A year
later, the first version of Android is released on the HTC Dream. Windows went on to
release Windows Phone in 2010. Today, Android and iOS are the most common mobile
operating systems, with Windows Phone and Blackberry quite far behind. Other new
operating systems that have been announced and are currently being developed are Firefox
OS and Ubuntu Touch.
Today’s modern mobile devices boast a large array of features, including wireless
internet connectivity, GPS navigation, video and audio recording, and music playing. Along
with the bevy of features, there are also numerous ways to exploit these mobile devices.
Below, some of these exploits will be discussed.
Some mobile devices can be victimized by a denial-of-service attack. A denial-ofservice attack is one that prevents a device or resource unavailable to a user that should be
able to access it. A particular example of a denial-of-service involved Nokia’s S60 operating
system. If an SMS message was received from an email address containing more than 32
characters, the phone would be unable to receive any SMS or MMS messages until a hard
reset is performed. Another denial-of-service attack is possible when a malicious
application is programmed to consume an excessive amount of power, draining the battery
faster than usual.
Mobile operating systems are not immune to malware, though it is not as rampant
as on computers. Examples of malware than can affect mobile devices are worms, viruses,
and Trojans. A worm is a malicious program that actively attempts to transmit itself over a
network to infect other devices. A virus is a malicious program that spreads itself when it is
run. Viruses and worms can have a variety of effects, including deleting files, corrupting
data, accessing private information, and sending spam. A Trojan horse is a program that is
disguised as being benign, but allows other users to connect without being detected.
The cost of having an infected or otherwise compromised mobile device is high. A
user could experience a denial-of-service, which could result in the loss of uptime and data.
An especially vicious attack could involve the attacker deleting critical operating system
files, rendering the device unusable. A compromise could also be a severe breach of
privacy, with an attacker able to gain access to personal files, including contacts, calendar
appointments, documents, and media files, and even record telephone calls. A mobile
device could also become a part of a botnet, a network of devices that is controlled by a
third party when not being used by the user, and is sometimes used to conduct distributed
denial-of-service attacks and other malicious acts. An attacker could also force a phone to
make calls and drive up costs to the user.
Mobile operating systems have safeguards in place to attempt to mitigate these
attacks. To prevent the installation of malware, iOS only allows software to be installed
through its own app store, and Apple must approve all new applications. On Android, this
sort of protection is not offered, but Google does scan apps put on the app store for
malware. By default, users can only install applications from Google’s Play Store, but this
can be easily changed by just toggling a setting. Recently, Android began providing an
option to monitor apps on the device for malicious behavior, and there are a multitude of
malware scanning apps available on the Play Store. Windows Phone has a similar appapproval system to prevent applications from being added to the Windows Phone Store,
and does not allow applications to be installed other than from the store.
Mobile operating systems have lower level safeguards in place to prevent the device
from being compromised by a rootkit, a malicious program that conceals itself and other
associated processes. iOS and Windows Phone uses a chain of trust where it checks
application signatures on boot and stops boot when there is a discrepancy. Android uses a
similar system, using hash trees.
Android utilizes SE Linux in an attempt to protect users from malware. SELinux
controls access to system resources and data. It uses mandatory access control, which
means that applications that request to access a resource must go through a security policy
administrator to do so. This prevents applications from gaining access to more than they
are supposed to.
Much like their computer brethren, mobile operating systems must use some sort of
file and memory protection. File permissions prevent processes from accessing and editing
whichever files they want. A malicious program could edit critical operating system files or
read stored passwords or other personal information. Memory protection prevents
applications from gaining higher privileges than they are authorized.
Mobile operating systems can also provide protection for if a device physically ends
up in the wrong hands. Besides password protection and facial recognition, a device can
protect its data through encryption. If a thief were to attempt to read files off the device by
connecting the device to a computer, the files would be undecipherable and impossible to
decode without the encryption key.
An intriguing new development in the realm of mobile security is a device called
Blackphone. Blackphone is being developed with a focus on security, running on a modified
build of Android called PrivatOS. It is scheduled to be released in June of 2014. The phone
encrypts telephone calls and text messages, and uses VPNs for Internet access. The phone’s
storage is also encrypted. These features are intended to protect the privacy of the user and
make it near impossible for the use of the device to be monitored. Blackphone is completely
compatible with Android applications, so while its communications have been made
secure, it is still up to the user to make sure they are responsible when installing
applications.
Mobile operating systems have evolved considerably over the past eighteen years.
With more and more dependence on mobile devices, security must be a large consideration
in the design of the operating systems that run on these devices. The ways the devices can
be attacked are varied, as should be the ways to defend and prevent these attacks. If a
device like Blackphone is a success, there may be a shift in how these operating systems
function with regards to security and user privacy.