Mobile OS Models and Architecture: The rapid adoption of the mobile device in the workplace has had two obvious consequences: an increase in productivity and capability as well as a corresponding rise in the number of security risks.
The designers of devices have frequently made a tradeoff between security and features by leaning toward features, with security being an afterthought.
While new security features have helped to somewhat reduce the issues present, many of the devices still have problems to be addressed.
Mobile Security Models and Architectures
NOTE: – A great many problems in enterprise environment come from the fact that devices owned by individuals transition in and out of the enterprise eco-system.
Devices that are used for both personal and business reasons end up mixing the security needs and data types of both areas in a potentially insecure manner.
Security manager of many organization have had deal with personally owned devices accessing corporate services, viewing corporate data, and conducting business operations.
Compounding this problem is that these personally owned devices are not managed by the organization, which means, by extension, anything stored on them isn’t managed either.
Goals of Mobile Security
Mobile operating systems come in four flavors: Blackberry, Windows Mobile, Google Android, and Apple iOS. Of these, the Apple iOS and Google Android operating systems are by far the ones most commonly found on modern devices.
Note: – Of the mobile systems available, the Android operating system dominates with about 83 percent of the market share.
Second place in the market is Apple’s iOS with about 14 percent and windows and Blackberry owning 2.6 percent and .3 percent, respectively.
An estimated 1.5 billion devices are running the Android OS worldwide, and this trend is showing no signs of slowing down anytime soon.
Both of these operating systems have been designed to address some of the most basic threats and risk right out of the box, such as the following:
- Web-based attacks
- Network-based attacks
- Social engineering attacks
- Resource and service availability abuse
- Malicious and unintentional data loss
- Attacks on the integrity of data
Before analyzing the security models of these two operating systems, a brief recap of each of these attacks as they relate to mobile device might be helpful:
Web and Network Attacks: These are typically launched by malicious website or compromised legitimate website.
The attacking website sends malformed network content to the victim’s browser, causing the browser to run malicious logic of the attacker’s choosing.
Malware: Malware can be broken into three high-level categories: traditional computer viruses, computer worms, and Trojan horse programs. Much like traditional systems, malware does plague mobile systems, and in fact there are pieces of malware designed exclusively for mobile devices.
Social Engineering Attacks: Social engineering attacks such as phishing attempt to trick the user into disclosing sensitive information.
Social engineering attacks can also be used to entice a user to install malware on a mobile device. In many cases social engineering attacks are easier to accomplish on mobile devices largely because of their personal nature and the fact that they are already used to share information on social media and other similar services.
Data Loss: Data loss occurs when a device used to store sensitive data is either carried away by a malicious person or is lost.
While many of these situations can be mitigated through encryption and remote wipes, the problem is still very serious.
Data Theft: This is one of the bigger problems that have emerged with mobile devices because criminals target them for the information they contain. Malware has been observed on mobile devices that steals sensitive information.
Device Security Models
So how have designers built their systems with an eye toward addressing security problems?
Several steps have been taken, but overall there has been an attempt to approach the problem of security through five key areas, each addressing a specific problem or need:
- Access control is used to protect devices, which includes passwords, biometrics, and least-privilege technologies, to name a few.
- Digital signing has become part of the application model of most if not all mobile Oss.
This feature allows applications to be signed so they can be verified that they originated from a specific author, and they cannot be tampered with without such activities being detected.
While digital singing is not required, Android will not allow the installation of apps from unknown source by default.
In iOS, applications from unknown sources cannot be installed at all unless the owner specifically modifies or “jailbreaks” the phone to allow this.
- Encryption is another viral component of the security model of a mobile OS.
Encryption is employed on devices to ensure that data is kept safe in the event a device is lost, stolen, or compromised. While not consistently implemented on many mobile devices in the past, this has changed, with Android 6.0 (codename Marshmallow) even requiring storage encryption by default.
- Isolation, which seeks to limit the access an application has, is an important issue addressed in mobile devices. Essentially, this is a form of least privilege for applications, where if you don’t need access to sensitive data or processes, you don’t get it.
- Permission-based access control works much as it does on server and desktop operating systems.
This feature limits the scope of access of an application by blocking those actions the user may attempt but has not been granted access to.