Cryptography Reference
In-Depth Information
This section gives a short overview of security threats Smartphone platforms are
facing and shows why today's security frameworks are not able to sufficiently
address these issues. In line with our considerations so far, we will again focus on
security problems linked to the application runtime environments of Smartphones.
The reader might wish to consult e.g. [ENISA10] for a more general overview on
information security risks in the context of Smartphones.
10.3.1 Device loss or theft
Today's Smartphones are basically small back offices, and often come with creden-
tials required to access the company networks, and/or all information required to
accomplish critical tasks even if the Smartphone is offline. Thus, similar to more
sophisticated devices such as Laptop PCs, Smartphones have become interesting
targets for attackers. The risk of theft and the resulting consequences are severe; as
a trivial example consider cached email on a device, which can give enormous
insights when analysed.
Most Smartphone operating system, including those we considered above, address
this problem by implementing a combination of more or less effective mechanisms:
Many operating systems offer full storage encryption, i.e. data stored persistently
storage on a device is encrypted. Some devices, such as iPhone 4, offer hardware-
supported encryption with AES. These features are complemented with locking
mechanisms which should prevent unauthorized access to the device. For prevent-
ing brute force attacks, it is not uncommon to completely erase all data after a
specified number of unsuccessful user authentications.
Remote wipe control through mechanisms implemented in, e.g., ActiveSync, are
also widely deployed in today's operating systems.
The main problem of these features, however, is their actual implementation: The
devices themselves are often not protected at all initially, and only security aware
users or companies will enable and use according features effectively. Thus, most
application data stored on mobile phones remains highly exposed although
technical features would allow appropriate protection. Responsibility for securing
application data is delegated to the developer.
10.3.2 Implicit and Unintentional Data Flow
Most of the operating systems introduced support application-specific access
control. On different granularities, permissions can help to control the direct
information flow. Sensitive information, e.g. GPS data or microphone streams, will
not be communicated to unauthorized parties.
Search WWH ::
Custom Search