A Kid’s take on Mobile Application Security
Note: The following article was written a while back me when a professor of mine requested me to write something for her on mobile application security or more specifically smart phones. I didn’t post it till now because I wanted to go through it and make some qualitative changes and add a little more content but seeing my current schedule I really do not have time to do that in the near future and so until I do enjoy the randomness of the post! Also, the reason this is called a kid’s take is because this is prolly the last post I wrote as a minor as I’ve recently turned 18.
Additionally, credit must be given to Akhi Maitra, a personal friend of mine for proof reading it for me, my grammar while typing at 95WPM is terrible and this article would be unreadable without him!
Even though the term Mobile Application Security refers to security implementations for mobile computing devices, the term is largely synonymous with Smart Phone Security. Today, we live in the era of smart phones, which today are several million times fastest than the first computer designed back in the day, and therefore it would be quite accurate to refer to these smart phones as computers.
However, to implement security practically, one has to begin with understanding why there was a lapse in security in the first place. Thus begins our short quest towards understanding why smart phones are the most vulnerable devices around.
Cellular Smart Phones and tablets have memory, processing power, network access and beyond, therefore making them ideal for running a wide range of malware. The age old anti-malware – or anti-viruses as they’re more commonly known – to fight these infectious malware, are however conceptually flawed as of now, at least as far as smart phone security is concerned. Why? Well quite simply put, most commercial anti-virus systems work on the basis of pattern detection. In other words, they check each file against a in-built database of malware signatures and take appropriate actions if such matches are found, and even though this approach is considered great today for personal computer security, for smart phones there are two basic issues:
- Not enough juice. [ In more technical terms, the processing power required for this exhaustive approach is not necessarily affordable or many a times even available. ]
- Battery Limitations.
Smart Phones have battery life, and an antivirus running actively would severely deteriorate the battery life. Also, as proven before if security hampers usability, it’s useless, mainly because if the user thinks that an antivirus application is consuming too much of his/her battery, they’ll shut the app.
Then one asks, “Alright, but why doesn’t my phone have viruses?”
Well, broad-scale viruses are only made when there is a large enough market for propagation. Today, there are several viruses host to the Android platform of mobile OS despite it being built on Linux, an operating system known for stability and security.
The blame for this mainly falls on the user, as a general Linux user has a much better technical understanding of security and other system concepts than the average Android user utilizing the device for Angry Birds or Fruit Ninja. Paraphrasing what Mati Aharoni once said, “Any system’s security is dependent largely on the knowledge and mindset of the person using it”.
Which brings the next question, that is: If the traditional antivirus does not work, then what does?
Well, I’m not a mobile security expert and therefore cannot comment on that, however some of the measures used today are centralized application stores, for example.
On PCs, the user is generally free to download any application from wherever and this is what exposes the user to viruses, on platforms like iOS, Android, BlackBerry, etc the user is confined to downloading all the applications he wants from a centralized application store monitored closely by the operating system developers.
This definitely puts a choke point for malware; however it too has a weakness. The main weakness of this kind of method is Trojans. Trojans to the non-technical user are programs that appear to be useful but have their own malicious hidden agenda concealed in the background. If such a Trojan application is well disguised and splits past the monitors into an application store, no mechanism exists to prevent it. Additionally, if an already approved application releases updates with malicious code, which too will not be detected.
What we learn from this is that mobile application security is an evolving front. Therefore, even though there’s no method to prevent viruses and malware altogether (in my knowledge), technologies like cryptography and steganography can be used to secure data on the device. Also, free VPN services such as OpenVPN and IPSec are available, which allow users to secure the traffic sent over the device. That aside, it’s the user’s responsibility to browse safely and avoid installing applications from an unknown third-party source.