Karsten Sohr
ABSTRACT
More and more functionality is provided by mobile phones today; this trend will continue over the next years. However, with the increasing functionality new risks go along. This not only applies to security-critical mobile applications such as m-banking or m-commerce applications. The end user's privacy may also be in danger or the operator may be the target of an attack. In this paper, we discuss security risks introduced by mobile phones considering the perspectives of the different parties involved in telecommunications systems. Specifically, we demonstrate those risks by means of a security hole discovered in a large number of mobile phones. The security hole can be exploited to obtain manufacturer or even operator permissions. In particular, we implemented a Java-based Trojan horse. This way, the compromised mobile phone can be used as an eavesdropping device by an attacker. All in all, this demonstrates that the risks are not only theoretical, but also real. We also sketch a methodology for the security analysis of mobile phone software.
- M. Bond and R. Anderson. API-level attacks on embedded systems. Computer, 34(10): 67--75, 2001. Google Scholar
Digital Library
- L. Burdy, Y. Cheon, D. Cok, M. Ernst, J. Kiniry, G.-T. Leavens, K. Leino, and E. Poll. An overview of JML tools and applications. In Proc. 8th Int'l Workshop on Formal Methods for Industrial Critical Systems (FMICS 03), pages 73--89, 2003.Google Scholar
- B. Chess and J. West. Secure Programming with Static Analysis. Addison-Wesley, 2007. Google ScholarDigital Library
- W. Enck, M. Ongtang, and P. McDaniel. Understanding Android Security. IEEE Security and Privacy, 7(1): 50--57, 2009. Google ScholarDigital Library
- Enea AB. OSE 5.0 Architecture, 2004. http://www.enea.com.Google Scholar
- Enea AB. Enea Wins New Wireless Deal Worth MSEK 30, 2008. http://www.enea.com/Templates/NewsPage___24486.aspx.Google Scholar
- S. Garfinkel and G. Spafford. Practical Unix and Internet Security. O'Reilly, 2nd edition, 1996. Google ScholarDigital Library
- Gemalto S. A. Developer Suite V 3.0, 2007.Google Scholar
- Google Inc. Android---An Open Handset Alliance Project, 2008. http://code.google.com/android/documentation.html.Google Scholar
- M. Hypponen. Malware Goes Mobile. Scientific American, 295(5): 46--53, 2006.Google Scholar
- Java Community Process. List of all JSRs, 2007. http://jcp.org/en/jsr/all.Google Scholar
- Java Community Process. Security and Trust API for J2ME, 2007. http://jcp.org/aboutJava/communityprocess/jsr177.Google Scholar
- JSR 118 Expert Group. Mobile Information Device Profile for the Java 2 Micro Edition Version 2.1, 2007.Google Scholar
- J. Kiniry. Personal communication, 2009.Google Scholar
- ARM Limited. ARM Security Technology Building a Secure System using TrustZone Technology. White Paper, 2009.Google Scholar
- G. McGraw. Software Security: Building Security In. Addison-Wesley, 2006. Google ScholarDigital Library
- G. McGraw and E. W. Felten. Securing Java: Getting Down to Business with Mobile Code. Wiley, 2nd edition, 1999. Google ScholarDigital Library
- B. Meyer. Object-Oriented Software Construction, 2nd Edition. Prentice-Hall, 1997. Google ScholarDigital Library
- Nokia. Malware CommWarrior, 2005.Google Scholar
- Open Mobile Alliance. DRM Content Format Approved Version 2.0, 2006.Google Scholar
- Open Source Cert Advisory. #2009-006---Android improper package verification when using shared UIDs, 2009. http://www.ocert.org/advisories/ocert-2009-006.html.Google Scholar
- E. Poll, J. van den Berg, and B. Jacobs. Specification of the Javacard API in JML. In Proceedings of the Fourth Working Conference on Smart Card Research and Advanced Applications, pages 135--154, 2001. Google ScholarDigital Library
- A. Raza, G. Vogel, and E. Plödereder. Bauhaus---A tool suite for program analysis and reverse engineering. In Ada-Europe, volume 4006 of LNCS, pages 71--82. Springer, 2006. Google ScholarDigital Library
- Research in Motion. BlackBerry Enterprise Solution -- Security Technical Overview, 2008. http://www.blackberry.net/products/software/-server/exchange/security.shtml.Google Scholar
- S. Shankland. Mobile Java Hit with Security Scare, October 2004. CNET News.Google Scholar
- Sun Microsystems. Connected Limited Device Configuration Specification Version 1.1, 2003.Google Scholar
- Sun Microsystems. Java Card 2.2.2 Platform, 2006. http://java.sun.com/products/javacard/specs.html.Google Scholar
- Symbian Ltd. Symbian Signed, 2006. https://www.symbiansigned.com.Google Scholar
- P. Traynor, P. McDaniel, and T. La Porta. On Attack Causality in Internet-Connected Cellular Networks. In Proceedings of the USENIX Security Symposium (Sec'07), August 2007. Google ScholarDigital Library
- P. Traynor, V. Rao, T. Jaeger, P. McDaniel, and T. La Porta. From mobile phones to responsible devices. Technical report, Pennsylvania State University, Network and Security Research Center, January 2007.Google Scholar
- trifinite.org group. Homepage, 2006. http://trifinite.org.Google Scholar
Index Terms
- Software security aspects of Java-based mobile phones
Recommendations
Awareness, Knowledge, and Ability of Mobile Security Among Young Mobile Phone Users
The research literature on awareness, knowledge, and ability of mobile security of young mobile phone users was reviewed in this article. The existing literature suggests that young mobile phone users are usually not aware of potential mobile security ...
Design, Realization, and Evaluation of xShare for Impromptu Sharing of Mobile Phones
Mobile phones are truly personal devices loaded with personal data such as photos, contacts, and call history. Yet it is often necessary or desirable to share our phones with others. This is especially true as mobile phones are integrating features ...
Does multitasking with mobile phones affect learning? A review
Mobile phone multitasking is widely considered to be a major source of distraction in academic performance. This paper attempts to review the emerging literature by focusing on three questions concerning the influence of mobile phone multitasking on ...
Comments