Security in Mobile Computing – Device Security

Evolution & Usage of Modern Mobile Devices

  • Rapid hardware & software evolution → smartphones = powerful general-purpose computers in pockets.
  • User behaviour shift:
    • >70\% of daily on-line time now on mobile (banking, shopping, e-mail, social media, IoT control, etc.).
    • Device is simultaneously camera, wallet, key, personal diary, navigator.
  • Security implications:
    • Sensitive data is created, processed & stored locally.
    • Always-on connectivity (Wi-Fi, 4G/5G, NFC, Bluetooth) broadens attack surface.
    • Small size ⇒ easy to lose or steal ⇒ physical compromise risk.
    • Monetisation channel built-in (operator billing, in-app purchases, NFC pay) ⇒ strong economic incentive for attackers.

Mobile Device Security Concerns

  • Wireless communication is inherently broadcast ⇒ eavesdropping & spoofing easier than on wired links.
  • Aggregated personal content on device:
    • E-mails, calendars, contacts, pictures, location history, health data.
    • Attack = single point of failure for user’s digital life.
  • Growth of underground economy:
    • Stolen data, botnet rental, ransomware, ad-fraud.

Personally Identifiable Information (PII)

  • Definition: Any datum that can single-handedly or collectively isolate or identify a person.
  • Typical mobile PII:
    • E-mail address, phone number
    • Hardware IDs: MAC, IMEI, IMSI, Bluetooth address
  • Sensitivity & misuse:
    • Tracking of movement, profiling of habits, linking of on-line & off-line identities.
    • Machine-learning pipelines depend on PII for personalised recommendation; marketers maintain ever-growing databases.
  • Security issues:
    • \textbf{Insecure~transfer} – clear-text HTTP, weak TLS ⇒ interception.
    • \textbf{Insecure~format} – PII stored as plain SQL/JSON/XML inside app sandbox.
    • \textbf{Insecure~remote~storage} – poorly configured cloud DB ⇒ mass leak.
    • \textbf{Accidental~exposure} – debug logs, query strings, dashboard widgets show e-mail / phone.
  • Defensive mindset:
    • Scrutinise permission requests; “least privilege” principle.
    • Install from reputable stores only; deny excessive permissions.

Mobile Malware

  • Definition: Malicious code aimed at compromising mobile OS, data or user wealth.
  • Motivations & impacts:
    • Harvest credentials ⇒ direct bank theft.
    • SMS premium fraud – device silently texts pricey numbers.
    • Botnet enlistment ⇒ DDoS, click-fraud.
    • Data wipe / “bricking”.
  • Infection vectors:
    1. \textbf{Phishing} – fake sites emulate originals.
    2. \textbf{Trojanised apps} – repackaged popular APK with extra payload; uploaded even to official stores.
    3. \textbf{Spyware} – background keylogging & screenshot.
    4. \textbf{Man-in-the-Middle (MitM)} on public Wi-Fi.
    5. \textbf{Direct attack} via MMS/SMS, Bluetooth worms.
    6. \textbf{Third-party repositories} – no curation.
  • Example (Kakao Talk):
    • Legit vs modified binary permissions list shows added abilities (send SMS, record audio, manage accounts) → red flag.

Best Practices to Avoid Malware

  • Install only from official stores (Google Play, Apple App Store, Microsoft Store).
  • Verify publisher identity; look for spoofed names & review counts.
  • Avoid side-loading from *.apk, *.exe, uncertified markets.
  • Review requested permissions; deny what is not required for core functionality.
  • Keep OS & apps patched; enable Google Play Protect / iOS Gatekeeper.

Wireless Connection Security

Risks Associated with Text Messaging (SMS/MMS)

  • Impersonation / identity theft – sender ID spoofing.
  • Spam & malware delivery.
  • Persistent local history ⇒ privacy loss upon device theft.
  • Linguistic influence on youth (slang overuse) – social / educational concern.

Wi-Fi (WLAN) Security

  • Wireless = broadcast medium: any radio within range can capture frames.
  • Misconfigurations (open networks, weak WEP, default WPA keys) invite interception.
  • Recommended counter-measures:
    • Prefer encrypted networks; avoid open SSID.
    • Use WPA2 or WPA3 with strong passphrase >!12 random characters.
    • Employ VPN tunnelling (IPsec, WireGuard, OpenVPN) on public hotspots.
    • Access only HTTPS sites (TLS \ge 1.2); watch for certificate warnings.
    • Disable auto-connect to unknown SSIDs.
  • Ethical note: Operators of free Wi-Fi often harvest traffic for analytics – informed consent & transparent policies needed.

“Evil Twin” Wi-Fi Attack

  • Attacker sets up rogue AP named like legitimate (“UiTM_Hotspot”).
  • Victim auto-connects; all traffic passes through attacker’s proxy.
  • Enables credential stealing via fake captive portals or SSL-stripping.
  • Defence: validate certificate, use VPN, inspect MAC/BSSID of AP, deploy 802.1X.

Bluetooth Security Threats

  • Bluetooth forms Personal Area Network (PAN) automatically – convenience vs attack surface.
  • Main attacks:
    1. \textbf{Eavesdropping / MitM} – attacker inserts two dummy devices between Victim A & Victim B, relays & records.
    2. \textbf{MAC spoofing} – clone victim’s MAC so inbound traffic diverts to attacker.
    3. \textbf{DoS – “Big NAK”} – flood with negative acknowledgements, draining battery.
    4. \textbf{Blue-Snarfing} – unauthorised reading/alteration of contacts, calendar, media.
  • Best practice: keep Bluetooth off when not in use, pair only in private, use Bluetooth\,5 secure connections, set device to non-discoverable.

Authentication & Authorization

  • Two-stage access control:
    • \textbf{Authentication}: prove identity.
    • \textbf{Authorization}: determine permitted actions.

Passwords / PINs

  • Pros: cheap, ubiquitous; compatible with legacy systems.
  • Cons: weakest factor; users choose predictable strings ("1234", "password").
  • Administrative controls:
    • Complexity policy (min length \ge 8, mix of classes).
    • Expiry (e.g., 90 days).
    • Account lockout after N failed attempts (usually N!=!5).
  • Attack resilience: dictionary & brute force; mitigated by \text{salted hash} storage and key-stretching (PBKDF2, bcrypt).

Biometrics

  • Body becomes the key. Traits:
    • \textbf{Physiological} – fingerprint, face, iris, retina.
    • \textbf{Behavioural} – voice, gait, keystroke dynamics.
  • Advantages:
    • Cannot be forgotten, difficult to share, harder to forge, requires presence.
  • Challenges & ethics:
    • Liveness detection (anti-spoofing), privacy of biometric templates, irreversible leak (fingerprints cannot be "revoked").

Pattern Lock (Android)

  • 3 × 3 grid; user draws a swipe path length 4\text{–}9.
  • Combinatorics: 389\,112 possible distinct patterns vs 456\,976 for 4-character case-insensitive password.
    • Derivation (simplified): \sum_{k=4}^{9} P(9,k) where P(9,k)=\frac{9!}{(9-k)!}.
  • Usability high; vulnerability: shoulder-surfing & oily residue.
  • Hard & “cool” patterns exist, yet many users pick predictable shapes (letters, simple lines).

Comparative Summary

FactorSecurityEase of UseImplementationWorks on Phones
Password/PINWeakEasyEasyYes
BiometricsStrongModerateHardIncreasingly
Pattern LockWeak–ModEasyEasyYes

Practical, Ethical & Real-World Considerations

  • Balance convenience vs protection: stronger controls can reduce user adoption; education crucial.
  • Regulatory landscape (GDPR, CCPA) mandates explicit consent for PII collection & breach notification.
  • Developers should embrace privacy-by-design: data minimisation, end-to-end encryption, secure coding.
  • Societal impact: language & cognitive effects of pervasive texting; digital divide amplified by security literacy gap.
  • Corporate responsibility: provide secure defaults (e.g., Android’s Scoped Storage, iOS Secure Enclave).
  • Future trends: 5G slicing implies new isolation challenges; IoT integration broadens mobile attack vectors.

End of consolidated study notes for “Security in Mobile Computing – Topic 6: Device Security”.