30-05-2012, 12:50 PM
Smartphone Security Limitations: Conflicting Traditions
Smartphone Security Limitations Conflicting Traditions.pdf (Size: 342.69 KB / Downloads: 51)
INTRODUCTION
Smartphones are becoming as powerful as laptops and
desktops. Smartphones ship with multiple cores and powerful
graphics processors. They have robust sensor platforms
containing GPS, near field communications (NFC), WiFi,
Bluetooth, and cellular capabilities. They are a vault for
large amounts of personal information about banking, social
networks, and inter-personal communication. The capabilities
and information value of the modern smartphone make
it an attractive target for Internet miscreants.
SMARTPHONES AND THE ANDROID OS
A general description of the smartphone platform can be
seen in Fig. 1. The smartphone platform consists of two
elements. The first element is a general-purpose computing
environment. The second is a cellular environment used to
provide radio access to the cellular network. The generalpurpose
computing environment handles a vast majority of
the owner’s interaction with the smartphone including the
user interface (UI), mathematical computations, and graphical
rendering. The cellular environment consists of the baseband
chip. This chip’s primary function is to interact with
the cellular network. The baseband chip differs from traditional
device drivers such as a wireless chip in that the
baseband is generally tied to a specific cellular carrier and
network type.
SECURITY THREATS
Threats currently found“in the wild” are rudimentary and
remain in userland except for rare cases. Many threats are
very similar to threats that attack fixed computing platforms
such as notebooks and desktops. Most smartphone malware
masquerades poorly as legitimate software and relies on the
phone’s owner to ignore permission listings. Some requested
permissions are blatant warnings, such as “services that will
cost you money”. The AdSMS malware [9, 10] is an example
of premium-rate text message malware that relies
on dangerous permissions. Once installed, the application
will collect personal data on the phone’s owner as well as
send premium-rate text messages to international numbers,
with the malware authors profiting from a cut of the charge.
These behaviors are very similar to traditional desktop “dialers”.
OPEN PLATFORMS AND ANDROID
The threats faced by the Android platform discussed in
Sec. 3 are not new to the field of computer security. They are
modifications of threats targeting general computing platforms.
Security researchers working in the general computing
tradition have used open platforms as a base to design
new security technologies and implement proof of concepts.
If open-platform solutions have helped security in the general
computing tradition, then they must also be useful on
the mobile space if general computing threats are the focus.
Thus it is important to know if a mobile platform can be
considered open.
Definition of an Open Platform
We define fully open platforms as systems where i) a complete
set of source code required to run all features of the
platform must meet the Open Source Definition [18]; ii) the
software must include at least a minimal set of build and use
instructions; iii) the device owner must be able to modify
the software on the device without violating warranties, use
agreements, software controls, or hardware controls. The
first requirement is for foundation. If the code of the platform
does not meet the community definitions of open source
then the platform itself could never be fully open.