Data Loss Prevention

 View Only

The Potential for Data Loss from “Security Protected” Smartphones 

Mar 21, 2013 11:16 AM

1 Introduction

Smartphones have been widely adopted by organisations for day to day business and operational use, and employees can often access their work related data by connecting to corporate networks using their Smartphones. Many organisations have corporate policies for acceptable usage of computer equipment, which are now being extended to the use of Smartphones, for example the mandatory usage of antivirus software to prevent data loss or corruption. This article first highlights some differences between traditional computer and Smartphone operating systems (OS) and considers various security features provided by Smartphone OS. The article then calls into question the effectiveness of Smartphone antivirus software by presenting an effective malware attack as a practical proof of concept.

 

2 Comparison of Smartphone and Traditional Computer OS

The architecture of Smartphone operating systems like Google Android and Apple iOS are different to the traditional computer OS. Some characteristics and flaws are discussed in the following sections.

2.1 Traditional Computer OS

The security architecture of a traditional computer operating system has a number of rings. For example, the x86 architecture has four rings [1]; ring 0 is used for kernel, ring 1 is used for device drivers, ring 2 is used for System services and APIs and ring 3 is used for user applications. However, some major operating systems including Microsoft Windows [2] and Linux only implement two rings. Ring 0 is used for kernel and device drivers whereas ring 3 is used for user applications. The potential risk of such an implementation is that, if a malicious application manages to compromise a device driver, it could also compromise the kernel and in turn the whole OS. This leads to the serious situation whereby a rogue application might get root or kernel access [3]. Another potential weakness is that an OS may not isolate applications based on users. This is illustrated in Figure 1 in which the task manager shows applications sharing common usernames 'User1' and 'SYSTEM'. There may be security risks if all user applications have the same rights as that of the logged in user and if applications can share each other’s resources.

Figure 1 Windows Task Manager shows applications sharing 'User Name'

2.2 Smartphone OS

Smartphone operating systems, such as Android and iOS, implement a kind of ring (or layered) architecture. For example, Figure 2 shows the Android structure [4].

Figure 2 Android Architecture

The basic principle is that user applications run in the application layer and only Android OS services should get system level access and be able to run as ‘root’. This is true for normal non “jail-broken” phones. A jail-broken phone is a phone that bypasses limitations imposed by the OS so that users can install custom applications and even get root access. Clearly the practical feasibility of jail-breaking Smartphones and then misusing privileges is a major security concern and a related experiment is described in section 4.

Typically a Smartphone records the permitted access to system resources when the application is installed by the user. A unique user identifier (ID) is created for every application at the time of installation. The OS maintains the details of the access rights for every user ID [5]. The username for an installed application can be different for the same application on different phones. The OS should not allow access to resources unless the user has granted permission. Android and iOS implement process isolation whereby each application runs in its own sandbox so that an application should not be able to access resources of other applications [6]. If an application is compromised, the damage should then be limited to the application and the resources it has access to. However, if the rogue application is somehow given root access then the potential for damage is great.

 

3 Comparison of Computer Antivirus with Smartphone Antivirus Software

If a company is concerned about IT security risks then its security policy may mandate the use of computer antivirus software to protect against threats such as a virus, Trojan, malware, malicious code, root kits, intrusion and web content. Enterprise antivirus solutions provide additional features including system lock-down, application and device control, application white listing and blacklisting, host integrity and network access control. Smartphone antivirus products typically support antivirus, web content filtering, anti-theft, parental control and call/text blocking.

The architecture of a traditional computer operating system allows an antivirus application to gain kernel or root access. Figure 3 shows that Symantec antivirus, ‘Smc.exe’ is running as ‘SYSTEM’. The user ‘SYSTEM’ is used by the OS.

Figure 3 Symantec Antivirus (Smc.exe) Running as 'SYSTEM'

 

However, a very important difference for Smartphone antivirus is that it does not have root or kernel access. In fact an antivirus on a Smartphone is just like any other user application. Figure 4 illustrates that Symantec Mobile security is running on an Android phone as user ‘app_39’.

Figure 4 Symantec Mobile Security Running as user 'app_39'

 

4 Proof of Concept Exploit Against Smartphone Security

An experiment was carried out in order to assess the practicality of bypassing Smartphone control of security privileges and also the security products which are meant to provide protection. The first stage of the process was to jailbreak the phone by using CyanogenMod. The phone in question was a HTC G1 Android phone, but other phones including iPhones could have been targeted with a similar type of approach. The processes for jail-breaking are described on the Internet [7] and when successfully executed provide unrestricted application download and root access to the OS. There is a terminal for direct access or the privileges can be granted to user applications. Whilst the development of a jail-breaking strategy/utility requires expertise, to use the utility is relatively simple. A user just needs to follow a sequence of steps, and importantly this is no longer considered as an illegal activity.

A proof of concept malware ‘safebot’ [8] was loaded onto the phone. The malware actually deleted SMS messages soon after reception by the phone, without them ever reaching the application layer or alerting the user on the display of the phone. Smartphone antivirus products i.e. Norton Mobile security and McAfee Mobile Security were loaded in turn to try and address this problem. Unfortunately neither product could detect the presence or operation of the malware. However, the same malware file 'safebot' is detected as Backdoor.Trojan on computer by Anti-virus products. This means that an attacker could potentially introduce a rogue application (root kit) in the security architecture which can effectively eavesdrop, modify, delete and generate data between the connecting layers. The reason for this can be seen in Figure 5; the malware is running with 'root' access whereas the antivirus is running at the application layer.

Figure 5 Proof of Concept 'Safebot' Malware Running as 'Root' on a rooted Android phone.

 

5 Conclusions and Suggestions

From a security perspective it is clear that traditional computer platforms are far from perfect, however their problems are reasonably well understood and there are third party products such as antivirus software that can help add protection. Our investigations have shown that commonly used Smartphone platforms have significant differences to traditional computers and cannot be compromised easily. Evidence from experiment shows that malware may be installed with root access on 'jail-broken' smartphones and yet remain invisible to commercial anti virus products that are restricted to the application layer. Malware that has root privilege has access to all the system resources and can potentially exfiltrate data such as files, contacts, browsing history, web form data and other user sensitive information without the users consent. It is the ability for applications to get root access that is the main concern and security policy should certainly forbid use of jail-broken Smartphones for corporate use. Organizations should consider using tools like 'Mobile Device Management' and 'Network Access Control' for smartphones.

 

Author: Vikas Rajole (vikas.rajole@gmail.com) M.Sc. Information Security from Royal Holloway, University of London.

Co-authors: Dr. Keith Mayes (Keith.mayes@rhul.ac.uk) Director, Smart Card Center, Royal Holloway University of London.

http://www.scc.rhul.ac.uk/people.php

and

Kostantinos Markantonakis (K.Markantonakis@rhul.ac.uk) Professor at Royal Holloway, University of London.

http://www.isg.rhul.ac.uk/~kostasm/

 

References:

[1] X86 Ring Architecture http://en.wikipedia.org/wiki/Ring_(computer_security)

[2] Windows Architecture http://technet.microsoft.com/en-us/library/cc768129.aspx

[3] White Paper: Symantec Security Response – Windows Rootkit Overview http://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf Page 5

[4] Android Architecture http://developer.android.com/guide/basics/what-is-android.html

[5] Android Application Sandbox http://source.android.com/tech/security/index.html

[6] Whitepaper by Symantec – “A Window Into Mobile Device Security”, http://www.symantec.com/content/en/us/about/media/pdfs/symc_mobile_device_security_june2011.pdf

[7] YouTube video link on "How To Root T-Mobile G1 with Android 1.6"

http://www.youtube.com/watch?v=u8F7FVISb7w

http://www.youtube.com/watch?v=H00kN2K2Q_8

 

[8] Georgia Weidman's website that provides the download link for "Proof of Concept" safebot malware, http://www.grmn00bs.com/2011/07/11/more-Android-sms-bot-stuff

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Jun 03, 2013 07:13 AM

Thanks Vika, I'll take a look.

Regards,

 

Juan

May 24, 2013 04:11 PM

Hi Mick,

I don't remember the exact version but I did the testing in August 2011. The reason I did it on HTC G1 was because the precompiled 'safebot' code was written for HTC G1. However, the principle aplies for other devices with android. Here's how you can do it.

1. Root an Android device with a terminal emulator.

2. Copy a malware that is identified by existing definitions.

3. Give the malware root access by running the 'chmod' command. e.g.  #chmod 777 safebot

4. Install antivirus on the android device and run a scan.

 

May 24, 2013 03:36 PM

Hi Juan,

Just after this article got published, GRIN offered me to publish my thesis as a book. I am re-writing the text and a book with an ISBN should be there soon. I cannot share the soft copy as I have singed a contract with GRIN. Meanwhile the softcopy can be found here http://www.grin.com/en/e-book/214409/potential-for-data-loss-from-security-protected-smartphones

Regards,

Vikas

May 24, 2013 08:35 AM

There are new threats against Android seen every day.  Symantec Security Response has often blogged about new directions and developments.... definitely worth reading.

https://www-secure.symantec.com/connect/search/apachesolr_search/Android?filters=tid%3A2261%20type%3Ablog&solrsort=created%20desc

May 24, 2013 08:03 AM

With a whopping 72% Android's market share I can only say that Andriod will be the biggest target for Cyber Criminals like Windows is.

May 24, 2013 07:18 AM

Really, really interesting. Could we have access to the full paper or it is private?

Regards,

Juan

May 24, 2013 06:12 AM

Thanks Vikas- when time allows, can you add the info on which exact release of Norton Mobile Security  you tested with, and with which definitions? (I use Symantec Mobile Security 7.2 myself, which runs on Android 2.2 and above.  have not tested with a 1.x device like a T-Mobile G1)

There's a lot of interesting stuff of Georgia's site- will have to explore that in more detail soon. &: )

The latest ISTR from Symantec has some Mobile malware info you may find useful:

2013 Internet Security Threat Report Now Available! Mobile Malware News....
https://www-secure.symantec.com/connect/forums/2013-internet-security-threat-report-now-available-mobile-malware-news

Cheers once again!

May 24, 2013 05:33 AM

Hi Mick,

 

The link was available at the time of my writing, however the original precompiled 'safebot' and source code of the malwareshould be available on her new website. The precompiled 'safebot' is detected as Trojan.backdoor by Symatec Security Response.

May 24, 2013 04:47 AM

BTW, the link to http://www.grmn00bs.com/2011/07/11/more-Android-sms-bot-stuff is dead.

This one is probably the one meant...

Georgia Weidman's Security Blog
http://georgiaweidman.com/wordpress/category/research/

May 21, 2013 07:38 AM

"Thumbs up" - many thanks for highlighting the growing, serious issue of smartphone malware!

Readers of this article may be interested in learning more about Symantec Mobile Security 7.2, our product which defends Androids (version 2.2 and above).

Illustrated Guide to Installing Symantec Mobilie Security 7.2

https://www-secure.symantec.com/connect/articles/illustrated-guide-installing-symantec-mobilie-security-72

Getting to Know the Symantec Mobile Security 7.2 Client

https://www-secure.symantec.com/connect/articles/getting-know-symantec-mobile-security-72-client

 

 

May 08, 2013 03:26 AM

Vikas, very informative article. Great job

May 06, 2013 05:32 AM

This article is a summerized version of my M.Sc. Information Security project thesis submitted to Royal Holloway, University of London.

Related Entries and Links

No Related Resource entered.