by Jim Geier
Learn the tricks of the trade to protect your mobile applications and devices from unauthorized access.
Mobile application security encompasses a broad range of elements, namely just about anything that negatively impacts the application. When developing mobile application software, you should be thinking about potential security risks and applicable countermeasures. This often goes well beyond what the software was intended to do, but the extra time and expense will be well worth it.
Mobile devices are small, and users can lose or misplace them easily. Or, they could end up stolen. Most IT organizations have a fairly good authentication for servers and databases residing on the corporate network, but the mobile device itself is still vulnerable to attack
In order to guard against unauthorized access to data and applications on the mobile device, make sure the device’s keypad automatically locks after a number of minutes of non-use, and requires a form of authentication-such as a PIN or password-to unlock the keypad.
But don’t overlook the fact that a hacker might try to figure out the PIN through brute force methods, such as systematically entering different PIN combinations. As a result, incorporate a cool-down period to temporarily and completely disable access to the device if the authentication is not successful after several attempts. In addition, consider performing memory and application wipe functions to restore the device to factory default settings if the thief types in the wrong PIN or password numerous times.
Another way a hacker can gain access to user information is by monitoring a user’s password over an unsecured connection, such as an unencrypted Post Office Protocol (POP3) email account over a public Wi-Fi network. Because many users use the same passwords for multiple services, the hacker will likely try the password to unlock access to a secured account, such as the user’s corporate e-mail or applications. In order to counter this, encourage users to not use the same password for different accounts, or automatically generate unique and appropriate passwords for users.
Hackers are very good at finding ways into wireless devices. For example, a hacker may attempt to synchronize the device to a PC or laptop in order to view and copy data stored on the device. Wireless adapters are especially vulnerable because a hacker can exploit them without physically stealing the device. For a knowledgeable hacker, Bluetooth*, Wi-Fi, Infra-Red (IrDA) and cellular wireless interfaces allow easy entry into the device. For example, a user associated with a public Wi-Fi wireless LAN is part of the same network as other users. Thus, a hacker associated with the same network can access files on the mobile device unless the user takes precautions.
Mobile devices have many interface ports, so be sure to incorporate a personal firewall that locks them down. Firewalls do a good job of limiting which ports are active and which protocols and users can use them. Also, consider whether users can install applications, and possibly disallow that ability. Some applications may install software that unknowingly will open a wireless port that may allow hackers in.
Because storage cards are portable, they also offer a security risk, similar to removable sto rage disks in PCs. A thief taking possession of a user’s Palm Pilot, for instance, can eject the storage card and read the data into another device. This can be prevented by encrypting the data on the cards or disabling their use.
It’s difficult to fully secure mobile devices from the smarter hackers. That’s why some companies establish the means for remote destruction of the mobile device data and applications.
An issue with remote destruction, however, is that it can only happen if there is a connection available to the device. The thief may somehow disable the radio, which precludes the destruction from taking place. Of course the connection will be made (and the destruction possible) if the thief tries to access a corporate application.
Also, it can be inconvenient to perform the destruction for a misplaced device that might be found within a few days. If the user is located in a remote overseas location, then the replacement of the data and applications will be difficult.
So, make use of remote destruction if possible, but don’t depend on it.
Because radio waves propagate outside the physically controlled area of the user, there is a potential for unauthorized monitoring of wireless mobile application data. Most enterprises require the use of encryption for wireless connections, but it’s important to use effective mechanisms. Hackers can monitor the transmission of 802.11 wired equivalent privacy (WEP)-encrypted data packets and eventually decipher the data. Better choices for wireless encryption in enterprises include the Wi-Fi Protected Access (WPA) and the newer 802.11i standards.
When operating from public Wi-Fi networks, there is no encryption on the wireless network between the mobile device and the access point. This isn’t a huge problem if the user is using a credit card over the network, assuming that the e-commerce site employs secure socket layer (SSL) encryption.
Virtual private network (VPN) software is much safer when accessing corporate systems from public networks. A VPN client on the mobile device communicates with the remote application, with encryption taking place from end-to-end. This is a well understood technology-companies have been requiring travelers to utilize VPNs for years when using dial-up services.
In fact, some companies even require VPNs when connecting wireless devices directly to the corporate wireless network. The access points in this case reside on the un-trusted side of the company firewall. This is a safe solution, but it incorporates higher costs for hardware in order to support a greater number of VPN connections.
Virus Attacks and Denial of Service
We’re all accustomed to using anti-virus software on PCs and laptops, but many smart phones go unprotected. Traditionally, virus writing culprits haven’t targeted smart phones because there aren’t enough in circulation to make it worthwhile. Authors of viruses generally stick to writing them for platforms that are very common-they strive for the biggest bang for the virus.
The proliferation of smart phones, however, will eventually grab the attention of virus writers. As a result, be certain to include anti-virus utilities to your smart phone implementations.
With wireless networks, denial of service (DoS) can happen if a hacker continually sends disassociation frames addressed to specific users to keep them from having access to a Wi-Fi wireless network. This can also be done by transmitting a relatively powerful interfering signal within the area of the wireless network. Wi-Fi protocols are very polite and let radio frequency interference use the frequency spectrum and force wireless users to wait until the interference goes away. Unfortunately, a mischievous person can take advantage of this situation.
Also, after disabling access to a legitimate access point, a hacker can surface a rogue access point, and the user’s radio card will automatically associate with it. When this occurs, it’s possible for the hacker to intercept and even take over sessions between the user and the application server. The rogue access point can be configured to look just like the legitimate one did to the corporate network. These types of man-in-the-middle attacks can be very damaging to information security.
Some companies deploy effective authentication systems using digital certificates and require access points to verify their identities to the corporate network. This prevents the hacker from getting anywhere when attempting the man-in-the-middle attack.
Before investing a great deal of time and money in guarding against DoS attacks, evaluate the potential for such an event. If such an attack will impose hazards to people, substantial loss of revenue or embarrassment to the company, then strongly consider deploying anti-intrusion systems that monitor the presence of DoS attacks and proceed with countermeasures automatically.
Mobile software applications can realize a level of security that satisfies the needs of most companies, assuming you plan effective solutions and have security policies in place that enforce conformance to security mechanisms. Keep in mind, however, that the strongest authentication and data encryption won’t keep a hacker from merely looking over the shoulder of someone using a mobile device in a public place. So don’t forget to educate users on this simple hacker tactic as well as the more sophisticated ones.
About the Author
Jim Geier is the principal of Wireless-Nets, Ltd. (www.wireless-nets.com*), a consulting firm assisting companies with the implementation of wireless mobile solutions.