5

Smartphones apps transfer various types of data over the provider's data network (or wifi, if enabled). What security risks are there in this transfer, and how can the risks be mitigated? I'm not talking about cell phone security in general, but specifically the area of data transfer between the phone and some other source over the cell phone or wireless network.

Edit: Sorry for the vagueness, I'll try to narrow it down. I'm wondering specifically about the channel used for data transfer (either the provider's wireless network or a wifi hotspot). What encryption (if any) is provided over these networks, and how common is it for apps to encrypt data in addition to what's provided by the channel itself? For example, what encryption is used by the Facebook app over a public wifi network? What about a banking app over the provider's data network? What about Gmail over a WPA-secured wireless network? etc.

jrdioko
  • 13,011
  • 7
  • 29
  • 38
  • 2
    This is too vague and broad. There are many kinds of cell phones and app frameworks to say nothing of hundreds of thousands of apps. It is about the same as asking "what security risks are there for PC internet applications? – nealmcb Jul 06 '11 at 16:19
  • 2
    Examples help, but now we're into 3 different questions, which vary by cell phone platform. How about dropping everything else and asking if any cell phone platforms do any encryption at all from the phone to the provider data network (ignoring wifi also). I doubt they do, leaving it all up to the app, since the threat model for some apps requires no security, and others require a whole lot. – nealmcb Jul 06 '11 at 16:56
  • My bad - of course there are encryption algorithms like A5/1 for GSM. So reviewing GSM vs CDMA vs ?? for wireless data security would be a useful question. But it would also help a lot to know what perspective you're after. Developer? User? Bank? See the [faq]. – nealmcb Jul 06 '11 at 17:12

7 Answers7

6

Your question is a bit vague.

What data is transfered by smartphones?

It depends. You can be fairly certain the data will include telephone conversations, SMS/MMS messages, and e-mails.

What data is stored on a smart phone?

  • calls records (remote phone number, time/date of call start, call duration, direction [incoming/outgoing] , potentially the name of he remote party)
  • SMS/MMS data ( photots [time/date, location, potentially names of people in the photos])
  • location data ( time/date with lattitude longitude )
  • photos ( see SMS/MMS )
  • e-mails ( recipients, time/date, pop3 server, smtp server)
  • web site usage ( URL, form data, cookies, time date of last visit )
  • contacts (phone numbers, e-mail, physical address, relationships )
  • music (preferences, listening frequency, etc)

Potentially, any data stored on the smartphone could be transfered.

Do you want any of this data to be private (confidential) ?

If so, then transfers involving this data need to be protected, usually this is done by encryption. The security risk in this case would be exposure of confidential data. Mitigation against exposure is encrypting your data, and configuring access controls to limit access to the data.

Do you want to protect any of this data from modification?

Protocols used during data transfer have the ability to modify or delete your data. The security risk in this case would be loss of integrity of the data (it gets changed), or loss of availabilty of the data (it gets deleted). Mitigation against loss of integrity is the use of cryptographic hashes (which will indicate if your data is intacted or not). Additional mitigation might be error-correcting codes which allow you to recover data that is altered. Mitigation against loss of availability is data backup and properly configured access control. The backup can restore the availability of data if it is destroyed, and the access control can limit who can delete which data.

this.josh
  • 8,843
  • 2
  • 29
  • 51
4

Probably the most straightforward problem security-wise is the transmission of unencrypted data. For instance, imagine you are using the facebook app over wifi. However, you are not the owner of the gateway (i.e. router) or your gateway is compromised. If your data is not encrypted in such a scenario, your username/password, your personal information or even other people's personal information are at the mercy of someone sniffing the network.

Facebook of course can be regarded as a low-security risk, but internet-banking over smartphones is already possible and apps don't necessarily encrypt data.

Another problem is the carrier itself. A lot of carriers still use GSM. The cryptographic standards of GSM are over 20 years old. Not only can GSM Networks be hacked, but can actually become hostage. New implementations of GSM (also known as 2G) have been developed (UMTS/3G) but those also have been hacked as of recently. You can read more about this here.

Mike
  • 667
  • 4
  • 9
  • 1
    As an addendum: A data stream protected by the A5/1 encryption standard that is most used in GSM of the western world can be intercepted, decrypted and listened to live within 30 seconds with a regular laptop using rainbow tables. I guess that's what 'news of the world' has been doing since it is the easiest way to do it but cannot confirm it. Here is another link that goes into more detail: http://gizmodo.com/5719940/breaking-gsm-security-with-a-15-phone – Mike Jul 19 '11 at 06:33
  • 1
    From what I've read, A5/1 is used for voice and SMS, but not for data. Data is sent via GPRS, EDGE etc which use different ciphers. But the GPRS ciphers GEA/1 and GEA/2 were recently broken also. See [Smartphone / GSM Sniffer - IT Security - Stack Exchange](http://security.stackexchange.com/questions/5997/smartphone-gsm-sniffer/6255#6255) for more. – nealmcb Aug 15 '11 at 04:41
3

A problem that's particular, though not exclusive, to smartphones is availability of the link itself. If you have a capped bandwidth allocation from your Mobile Network Operator, an app can readily DoS the entire device by consuming the whole allocation.

A related problem is that MNO data services are more likely to be charged at point of use than wi-fi connections, and charged at much higher rates. Users aren't likely to enjoy being charged for the data used by a botnet or spyware app.

3

The answer varies by the wireless protocol being used.

See Can you secure a web app from FireSheep without using SSL? for why you should just use SSL/TLS to protect sensitive data from all these bad wireless implementations, as well as vulnerabilities in wired networks.

nealmcb
  • 20,544
  • 6
  • 69
  • 116
2

Attacks on the channel can occur if information is not encrypted, as it is a broadcast medium. Also, you have no control of the antenna so if it could be compromised you could also be susceptible to attack there.

Solution - encrypted, authenticated channel. And this goes for WiFi or GSM - if it isn't your network, don't trust it at all; if it is, secure it against others and still protect yourself.

Denial-of-service is also a very likely attack, as any wireless communications are susceptible to jamming.

Solution - not a lot you can do here if an attacker has a high power jammer

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
1

The security risks which exists on cell phone application(s) in the process of data transfer are exactly same as the risks associated with say for example one's personal laptop in the process of data transfer. Many a times we tend to think the issues related to mobile applications are too different because it is a different network.

Lets say for example one have connected his/her laptop to browse Facebook or GMAIL using the open WIFI network or a corporate network. The risk associated are same when compared to mobile application communication. Some one in the corporate network or open WIFI network can sniff the data which is being transmitted. As far as banking sites are concerned, it is hard to believe today if there exists any banking portal login where the entire session is not SSL encrypted enabled. In-fact GMAIL now supports full logged session over SSL. Google have extended the same for the search engine as well using https://www.google.com

The Facebook application or the GMAIL application might not even know what is type of internet connection which is in use. For example if the app is J2ME application, than the application have no API's exposed to determine the mode of internet connection. In blackberry the applications can know it. In Android and IPhone it might be possible.

In normal PC world communication, we rely on SSL so same have to be implemented in mobile applications as well. Hence there is no difference.

The risk associated with mobile applications in my views are 3rd party applications like the ones provided using which you can perform Facebook or check your mails. They can have the wrong code or malware which could be exposing your data to some other servers. Hence it all depends on the trust factor which we have with the software provider.

In fact in some way mobile apps are secured compared to browser sessions as in mobile apps, strong rules can be enforced as to which server certificate is to be accepted in the process of SSL handshake which in normal PC world could be compromised in man in middle attack by confusing the end user with spook certificate and similar looking website.

Mohit Sethi
  • 692
  • 4
  • 7
1

To add to the other answers here, don't forget that the backhaul network is at least as much of a problem as the airlink, if not more so. There was a good presentation at Shmoocon 2011 by Enno Rey of ERNW (who does lots of work in this area; great guys btw) showing some of their results in this area.

Lots of places for this to go wrong... better just to assume that cellular data services are equivalent to public wi-fi and behave accordingly.

Steve Dispensa
  • 3,441
  • 16
  • 20