Cryptography Reference
In-Depth Information
“traditional” security solutions, e.g. hard disk encryption, network authentication
and encryption, application signing, etc.
Also software distribution for Smartphone platforms addresses security issues in
one way or another, often based on online application markets that require appli-
cation signing. To ensure certain security properties a code reviewing process is
performed, and code is then signed for distribution. The guidelines according to
which the market operator reviews the submitted code are, however, often
unknown. Thus, the customer of an application market must therefore trust the
reviewing process when installing applications. Such a centralised security
management can have advantages: If the quality of the reviewing procedures is
high, it is hard to distribute malware. Further, the distributor can often maintain
control of the distributed software and remotely remove an application if it turns
out to be malicious.
However, the application markets are just at the beginning of their development:
Advertisement companies and the marketing of big companies will soon discover
this new business domain and exploit it extensively. The number of applications
will rise and the market is becoming more and more attractive to attackers. So,
completely manual reviews are not a panacea since it scales poorly. Neither are
automated reviewing processes at the provider-side an option: Applications proc-
ess different types of data, and a characterization of being “malicious” depends on
specifics of this data. Furthermore, Smartphones do come with a large variety of
built-in sensors and data capturing components, which yields an even more
specific target platform a generic application analysis cannot address. In summary:
Security requirements are therefore client-specific, thus a decision whether an
application is seen as malicious or not can, in the end, only be taken by involving
these requirements and observing the computation of applications in question with
client data.
This contribution will focus on high level application security: We first explain the
fundamentals of some common Smartphone security architectures (Section 2) and
discuss the remaining security problems (Section 3). Abstracting from the general
threats a Smartphone faces, we identify specific security issues explicitly induced
by mobile applications that run on Smartphones. Before we conclude our paper
(Section 5), we use this contraposition and sketch possible future security solutions
(Section 4) which can help to design operating systems that provide better security
guarantees when executing applications.
10.2 Currently Security Architectures
We briefly review the security architectures in the current Smartphone landscape.
Our focus is on security features which allow the secure execution of applications
and which protect application and personal data stored on a device.
Search WWH ::
Custom Search