Mobile Security

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

Mobile Security

Mobile security has become increasingly important due to the global reliance on mobile devices for personal and business communications. With over 7 billion users worldwide—approximately 90% of the global population—mobile devices outnumber desktop computers. This widespread adoption exposes users to threats such as malware, phishing, data leakage, and unauthorized access. Organizations leveraging mobile technologies for remote work and cloud-based operations must adopt robust security measures to safeguard sensitive data, ensure privacy, and prevent financial losses.

Overview of Major Mobile Operating Systems

Android

Android dominates the global market, with a 70% share attributed to its open-source nature, allowing for significant customization and widespread adoption. However, this flexibility introduces security risks, necessitating features like the "3-Tier Security Model":

  • SELinux: Sandboxing and access control via Security-Enhanced Linux.
  • Google Security Measures: Play Protect, SafeNet, and an advanced permission model.
  • OEM Security: Manufacturer-specific patches and antivirus solutions.

Despite advancements such as AES-based encryption transitioning to file-based encryption, challenges like version fragmentation and vulnerabilities (e.g., privilege escalation) persist. Common threats include malware, Advanced Persistent Threats (APTs), and malicious apps in third-party stores.

iOS

Apple’s iOS holds 29% of the global market and is tightly integrated within the Apple ecosystem. Its closed-source architecture and strict app review process enhance security by:

  • Preventing unauthorized modifications.
  • Ensuring hardware encryption (AES-256) and secure enclaves for sensitive data.
  • Uniformly distributing updates across devices.

Recent changes, such as allowing sideloading due to EU regulations, introduce new risks. Apple mitigates these risks with features like notarization, ensuring baseline security for sideloaded apps. [1]

Librem 5 and Liberty Phone

Purism’s Librem 5 [2] and Liberty Phone emphasize privacy, featuring hardware kill switches to disable components like cameras and modems. Both run on PureOS, a Debian-based, open-source operating system that avoids data tracking. Advantages include:

  • Full disk encryption with root access.
  • Reproducible builds enabling user-audited applications.

Limitations stem from the reliance on Linux applications, which restricts app variety.

Ubuntu Touch

Ubuntu Touch, an open-source operating system developed by UBports, focuses on privacy and convergence—seamless integration with other devices. Key features include:

  • App sandboxing and a permission system (confinement).
  • Regular security updates and data protection measures.

Challenges include the lack of full-disk encryption (planned) and limited app support, with users often resorting to Android dual-booting or suboptimal solutions like Waydroid. [3]

Key Insights in Mobile Security

Each platform demonstrates unique approaches to balancing security, usability, and compatibility:

  • Android offers customization but faces challenges from fragmentation and its open-source model.
  • iOS ensures robust security within a closed ecosystem but sacrifices user flexibility.
  • Librem 5 and Liberty Phone prioritize privacy, ideal for security-conscious users, though app ecosystems are limited.
  • Ubuntu Touch showcases open-source adaptability but struggles with mainstream adoption due to app limitations.

Practical Applications

Security tools such as Genymotion, JADX, and Android Debug Bridge play a pivotal role in identifying and addressing vulnerabilities across platforms. These tools highlight the need for continuous innovation and vigilance in mobile security strategies.

Hands on practice

A very good beginner app to test mobile security is Allsafe, running on Android.

Recommended tools

Genymotion A free, lightweight Android emulator https://www.genymotion.com/
Android Debug Bridge Commandline tool, allows USB interaction with Android devices, also comes with Android Studio https://developer.android.com/studio?utm_source=android-studio https://developer.android.com/tools/adb
JADX Commandline and GUI tool to decompile dex and apk files to Java https://github.com/skylot/jadx
Allsafe Intentionally vulnerable Android app, includes many different challenges https://github.com/t0thkr1s/allsafe

Setup

  • For a physical Android device, connect it to your host machine via USB.
  • For a virtual Android device, download and install Genymotion.
  • Download and install Android Studio or ADB.
  • Download and install JADX.
  • If using Genymotion, create a new virtual device and start it.
  • On your device, enable USB Debugging.
  • Test if the device is reachable via adb:
   adb devices
  • (If you can not execute adb, check your PATH)
  • Download Allsafe APK and install it to the device via adb:
   adb install <path/to/allsafe.apk>
  • Start the app and enjoy solving the challenges!

References

  1. https://developer.apple.com/security/complying-with-the-dma.pdf
  2. https://puri.sm/products/librem-5/
  3. https://docs.ubports.com/en/latest/userguide/dailyuse/waydroid.html
Retrieved from "https://wiki.elvis.science/index.php?title=Mobile_Security&oldid=17196"