Questions for an upcoming exam

Hi all,

I have a mobile phone security exam coming up, and the lecturer has given us the following exam questions. Each question is worth two marks.

I'll give my answer to each question with justifications. Please provide input if you wish )

1. How does the Android operating system enforce separation between processes?

Each application runs in its own operating system process - essentially its own sandboxed environment. The only way an application can place a system call into the kernel is via linux file permissions that are made known upon application install/first use.

2. What are the security implications of forcing a process to access sensitive function calls via an operating system API?

If an (public) API requests permissions beyond its functions (which are/should be based on the principle of least privileged), and they’re granted, it’s sub-routine’s/function calls could perform system calls into the kernel. This is what the OS is built on, so causing a system crash by passing malicious code (via system call to kernel) can result in it being executed upon recovery

3. What is the generic term for an attack which uses user input to the program to modify the execution path of the program by over-writing instructions in memory?

A buffer overflow. Junk data is input to an array, that thanks to C programming, is without bounds checking. This results in a crash, and when the program in the crashed space re-covers, malicious code that was overflowed into it from the previous array's junk data is executed.

4. Describe what is meant by the term ‘modulation’ when considering radio signals.

Varying one or more properties of a sine waveform (carrier signal) with a modulating signal that contains information to be transmitted

5. One of the arguments for a BYOD program is as a cost saving measure; do you think this is a valid argument? Why?

Depends on the method of implementation. A proactive BYOD program, where operational and technical policies have been developed and applied on devices yet to be introduced would result in less costs than a reactive BYOD program which you see in most enterprises today - users push the implementation quicker without considering the business impact that rushed BYOD policies could bring about. Costs would then increase as problems arise from the lack of foresight demonstrated in the planning stage

6. How does requiring applications to declare the permissions they require prior to installation and at first use of those permissions help to improve the security of the mobile device?

Users can choose to keep or remove the application. Malicious software will commonly request high level permissions, such as system/kernel access even though the application may be a social networking app.

7. Describe how the Trojan ZitMo most often infects a system and its main purpose once
installed.

It is infected via socially engineered emails, whereby the user is 'seduced' into clicking a link. This email is the dropper. The payload is a crafted page made to look like the user's bank. It grabs usernames and passwords the user enters into the face banking portal. Information is altered, resulting in money being deposited into the attacker's bank account. Out of band two form factor authentication is defeated when the SMS code is intercepted by the attackers - it never reaches the victim.

8. How does Smishing differ from Phishing?

Smishing is social engineered attacks via SMS where the latter is via email. Smishing sends SMS' to targets containing links (droppers) which appear legit to the user (like banking emails that ask for you to click a link to verify your account before it gets deleted).

9. Windows Phone uses Security Chambers to limit the access that an application has to the system. How does this differ from Sandboxing?

Particular software running on a windows 8 phone is relegated to the 'sphere of least privileged' meaning the least amount of rights are given to an app as it requires. These are the trusted computing base, where the code that maintains the security policy of the device runs, to the Least Privileged where user installed apps are run. Sandboxing relies on permissions granted on an individual basis - so a user installed app could be given rights relative to the TCB (is able to place system calls to the kernel directly)

10. Why is it important to conduct a risk assessment when deciding on security policies for mobile applications or deployments?

Taking a page from enterprise security, such as the SABSA framework, a risk assessment identifies assets that are good and bad risk - opportunities and threats. This is key of a planning stage that precedes any policy implementation. As mentioned previously, proactive measures over re-active

11. Mobile devices are often used by employees to access email remotely, in the event that the mobile device is lost or stolen, what is the first line of defence in preventing unauthorised access to the user’s mailbox? What other controls might be appropriate?

First line of defence is the screen lock. Multi form authentication exists, but what is primarily used is something known (password). If this is defeated, another credential prompt can be implemented when the corporate email app is called up. What is better is a remote wipe of the device's encryption key, rendering the data on the device inaccessible. Do not use pattern/swipe gestures - oil on your skin can leave traces on the surface which can indicate the pattern used.

12. When conducting a security review of a mobile application, much of the focus is often directed towards the local application. What other components of the application should be reviewed for security weaknesses? Why?

How data is encrypted at rest - if application information is stored locally, is it encrypted on the phone's internal storage or is a separate application required.

How data is encrypted at the transport layer/data in motion - are credentials hidden when the application communicates with the application's external database via CDMA or wireless.

Whether or not the permissions requested by the application are necessary - developers use third party libraries to speed up the creative process. If an application has high level access, third party libraries can contain weaknesses/vulnerabilities (an attack vector is a way of triggering/reaching the vulnerability) that can be exploited.

13. Mobile applications occasionally use identifiers such as the IMEI number of the phone as a second factor of authentication. Is this true two-factor authentication? Why/Why Not?

This second factor of authentication is one part of two factor authentication - IMEI is something owned (the only most commonly something known - a password). It uses out of band authentication - the traditional cell phone network - to transmit a security token to the phone which matches with a session the user's username/password combination has initiated.

14. What is the risk if a piece of mobile malware gains access to SMS capabilities?

SMS can be sent from the device to a "Premium" number, most likely a sex chat hotline, charging the user high fees

15. SMS is sometimes used to send one time passwords to users for access to VPNs etc. Is there a significant risk in doing this? Why?

If a mobile device has been infected, the token can be captured - as is the case where the device is infected with Zitmo. If the device that the token gets sent to is lost, access to VPN/banking is lost.

16. Policies are sometimes used in the event that a technical is not available or not feasible. What other purpose to written policies serve in an organisation?

These policies are geared towards being purely operational - when an operational policy isn't translated into a technical policy, it is geared towards providing information as to how a process/procedure aids a business driver achieve it's goals. Examples of these policies are acceptable use and security policies - they are strict guidelines an employee agrees to adhere to upon beginning their term of employment.

17. Apps from the Apple App Store are reviewed by Apple prior to being published on the App Store. How does Apple prevent non-approved apps from being installed on iOS devices?

iOS devices, unless rooted (where the boot chain is broken), are only allowed to buy/download apps from the App store - a non-approved app does not get published in the app store and therefore is not able to be downloaded onto an iOS device.

18. The BlackBerry architecture for email synchronisation is somewhat different from the other players in the Smart phone market. Describe the main difference.

Android and iPhones use mail applications installed on their phones that use processing power to request inbox updates every few minutes (depending on settings).

Blackberry uses a server to server model, using the device as the front end. All BB details are stored on a BES. The BES requests inbox updates instead of the device, giving the BB increased battery life over it's counterparts.

19. Storage of data in cloud services is an increasingly large part of the mobile ecosystem. Explain why this might or might not present a security issue.

The sphere of influence a company's security policy is designed to encompass is pushed outwards to include assets that are not under their direct control. The security of Data in motion (between cloud and company) and data at rest (in cloud) is reliant on a third party's proficiency in securing said data.

20. Near Field Communications allow devices to share small amounts of data when in close
proximity, with no requirement to pair the devices. Briefly analyse one of the security issues this presents.

No pairing = no encrypted communication channel. This opens up a risk of NFC enabled cards being cloned by an NFC reader passed within close proximity of a user's wallet. This leads to the details being copied/cloned onto another card/used in replay attacks from the cloning device.

Thank you very much for taking the time to read my post. Much appreciated