Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Daniel Adams Dr. Box CSC 345 24 April 2014 Mobile Operating Systems and Their Security Operating systems allow users to be able to interact with computer hardware. Hardware has advanced and evolved into many form factors, notably into smaller, more mobile forms. Mobile devices are quickly growing in number and functionality. It has now become the exception rather than the norm to not own a smartphone. Users now have access to more and more features and functionality, which requires a more complex operating system. Included in these features are some sort of security used by the operating system to protect the device. This paper will include a brief history of mobile operating systems and a discussion of mobile security. For the purposes of this paper, a mobile device is defined as a smartphone, tablet, or PDA. The first mobile operating system was Palm OS. Developed by Palm Inc. and released in 1996, Palm OS gave users a graphical interface to control their PDAs. It provided a few apps, but no file system; everything was loaded into RAM. Windows CE, a version of Windows for embedded systems, was also released in 1996. Three years later, in 1999, Nokia released its mobile operating system, Series 40, on the Nokia 7110, the first phone with a WAP web browser. In 2000, the Ericsson R380 was released running Symbian. This phone is referred to as the first smartphone, as it combined the functionality of a cell phone and a PDA. More companies began releasing smartphones shortly thereafter, with the Kyocera 6035 running Palm OS in 2001, and Microsoft and BlackBerry releasing their first smartphones each with their own unique operating systems. The next big step in mobile operating systems happened in 2007 with Apple’s release of the iPhone and iOS. A year later, the first version of Android is released on the HTC Dream. Windows went on to release Windows Phone in 2010. Today, Android and iOS are the most common mobile operating systems, with Windows Phone and Blackberry quite far behind. Other new operating systems that have been announced and are currently being developed are Firefox OS and Ubuntu Touch. Today’s modern mobile devices boast a large array of features, including wireless internet connectivity, GPS navigation, video and audio recording, and music playing. Along with the bevy of features, there are also numerous ways to exploit these mobile devices. Below, some of these exploits will be discussed. Some mobile devices can be victimized by a denial-of-service attack. A denial-ofservice attack is one that prevents a device or resource unavailable to a user that should be able to access it. A particular example of a denial-of-service involved Nokia’s S60 operating system. If an SMS message was received from an email address containing more than 32 characters, the phone would be unable to receive any SMS or MMS messages until a hard reset is performed. Another denial-of-service attack is possible when a malicious application is programmed to consume an excessive amount of power, draining the battery faster than usual. Mobile operating systems are not immune to malware, though it is not as rampant as on computers. Examples of malware than can affect mobile devices are worms, viruses, and Trojans. A worm is a malicious program that actively attempts to transmit itself over a network to infect other devices. A virus is a malicious program that spreads itself when it is run. Viruses and worms can have a variety of effects, including deleting files, corrupting data, accessing private information, and sending spam. A Trojan horse is a program that is disguised as being benign, but allows other users to connect without being detected. The cost of having an infected or otherwise compromised mobile device is high. A user could experience a denial-of-service, which could result in the loss of uptime and data. An especially vicious attack could involve the attacker deleting critical operating system files, rendering the device unusable. A compromise could also be a severe breach of privacy, with an attacker able to gain access to personal files, including contacts, calendar appointments, documents, and media files, and even record telephone calls. A mobile device could also become a part of a botnet, a network of devices that is controlled by a third party when not being used by the user, and is sometimes used to conduct distributed denial-of-service attacks and other malicious acts. An attacker could also force a phone to make calls and drive up costs to the user. Mobile operating systems have safeguards in place to attempt to mitigate these attacks. To prevent the installation of malware, iOS only allows software to be installed through its own app store, and Apple must approve all new applications. On Android, this sort of protection is not offered, but Google does scan apps put on the app store for malware. By default, users can only install applications from Google’s Play Store, but this can be easily changed by just toggling a setting. Recently, Android began providing an option to monitor apps on the device for malicious behavior, and there are a multitude of malware scanning apps available on the Play Store. Windows Phone has a similar appapproval system to prevent applications from being added to the Windows Phone Store, and does not allow applications to be installed other than from the store. Mobile operating systems have lower level safeguards in place to prevent the device from being compromised by a rootkit, a malicious program that conceals itself and other associated processes. iOS and Windows Phone uses a chain of trust where it checks application signatures on boot and stops boot when there is a discrepancy. Android uses a similar system, using hash trees. Android utilizes SE Linux in an attempt to protect users from malware. SELinux controls access to system resources and data. It uses mandatory access control, which means that applications that request to access a resource must go through a security policy administrator to do so. This prevents applications from gaining access to more than they are supposed to. Much like their computer brethren, mobile operating systems must use some sort of file and memory protection. File permissions prevent processes from accessing and editing whichever files they want. A malicious program could edit critical operating system files or read stored passwords or other personal information. Memory protection prevents applications from gaining higher privileges than they are authorized. Mobile operating systems can also provide protection for if a device physically ends up in the wrong hands. Besides password protection and facial recognition, a device can protect its data through encryption. If a thief were to attempt to read files off the device by connecting the device to a computer, the files would be undecipherable and impossible to decode without the encryption key. An intriguing new development in the realm of mobile security is a device called Blackphone. Blackphone is being developed with a focus on security, running on a modified build of Android called PrivatOS. It is scheduled to be released in June of 2014. The phone encrypts telephone calls and text messages, and uses VPNs for Internet access. The phone’s storage is also encrypted. These features are intended to protect the privacy of the user and make it near impossible for the use of the device to be monitored. Blackphone is completely compatible with Android applications, so while its communications have been made secure, it is still up to the user to make sure they are responsible when installing applications. Mobile operating systems have evolved considerably over the past eighteen years. With more and more dependence on mobile devices, security must be a large consideration in the design of the operating systems that run on these devices. The ways the devices can be attacked are varied, as should be the ways to defend and prevent these attacks. If a device like Blackphone is a success, there may be a shift in how these operating systems function with regards to security and user privacy.