ecosystem: Final progress report Alexios Mylonas Athens University - - PowerPoint PPT Presentation

ecosystem final progress report
SMART_READER_LITE
LIVE PREVIEW

ecosystem: Final progress report Alexios Mylonas Athens University - - PowerPoint PPT Presentation

Sep 07, 2022 119 likes •658 views

Security and privacy in the smartphone ecosystem: Final progress report Alexios Mylonas Athens University of Economics & Business Overview 2 Research Motivation Related work Objective Approach Methodology Threat

slide-1
SLIDE 1

Security and privacy in the smartphone ecosystem: Final progress report

Athens University of Economics & Business

Alexios Mylonas

slide-2
SLIDE 2

Overview

 Research Motivation  Related work  Objective  Approach

 Methodology  Threat model  Smartphone definition & data

 Contribution

 Browser controls  User practices  Malware mitigation  Smartphone forensics

 Future work 2

slide-3
SLIDE 3

Research Motivation

 Smartphone ecosystem facts:

 Increase  Popularity of devices  Installations of third-party apps  web browsing  Great source of personal and business data  Smartphones appealing target for attackers

3

slide-4
SLIDE 4

Related work

4

 Android-centered & focused on malware mitigation  Permission system

 Policies, all-or-nothing

 Static analysis

 e.g. static analysis on manifest

 Dynamic analysis

 e.g. Taint analysis

slide-5
SLIDE 5

Related work

4

 Android-centered & focused on malware mitigation  Permission system

 Policies, all-or-nothing

 Static analysis

 manifest

 Dynamic analysis

 Taint analysis  Instrumentation

Problem:

  • 1. Require advanced technical skills!
slide-6
SLIDE 6

Related work

4

 Android-centered & focused on malware mitigation  Permission system

 Policies, all-or-nothing

 Static analysis

 manifest

 Dynamic analysis

 Taint analysis  Instrumentation

Problem:

  • 1. Require advanced technical skills!
slide-7
SLIDE 7

Related work

4

 Android-centered & focused on malware mitigation  Permission system

 Policies, all-or-nothing

 Static analysis

 manifest

 Dynamic analysis

 Taint analysis  Instrumentation

Problem:

  • 1. Require advanced technical skills!
slide-8
SLIDE 8

Objectives

5

 Study user practices

 adoption of security controls

 User-centric protection

 Include user input in our approach  Users value their data types differently

 Case study: Smartphone forensics

slide-9
SLIDE 9

Methodology

6

Survey of controls Analysis (user-centric) Security Finding Recommendation/Mitigation Survey of threats

slide-10
SLIDE 10

Threat model

7

WEB

  • T1. Malicious web (servers)
slide-11
SLIDE 11

Threat model

7

  • T2. Physical access
slide-12
SLIDE 12

App App

Threat model

Application Repository

. . .

Users

App App App

12 7

  • T3. Malicious apps
slide-13
SLIDE 13

A smartphone?

 used to access mobile

network carrier services

 contains a smartcard  a cell phone  advanced hardware

capabilities

 an identifiable OS  supports 3rd-party apps  apps from app repository

8

Cell\feature phone Smartphone

  • C5. Theoharidou M, Mylonas A, Gritzalis D. A risk assessment method for smartphones. In: Proc. of the 27th

IFIP Information Security and Privacy Conference. Springer; AICT-376; 2012. p. 443-456.

slide-14
SLIDE 14

Smartphone Data

8

 Smartphones host heterogeneous data Smartphone Data

Application Device Messaging Usage History SIM Card Sensor

  • C4. Mylonas A, Meletiadis V, Tsoumas B, Mitrou L, Gritzalis D. Smartphone forensics: A proactive investiga-

tion scheme for evidence acquisition. In: 27th IFIP International Information Security and Privacy Conferen-

  • ce. Springer; AICT-376; 2012. p. 249–260.
slide-15
SLIDE 15

Browser controls

9

 Manageability of browser security controls

 PC, smartphones

 Out-of-the box protection offered

  • C7. Mylonas A, Tsalis N, Gritzalis D. Evaluating the manageability of web browsers controls. In: Proc. of the

9th International Workshop on Security and Trust Management (STM-2013), Springer; LNCS-8203; 2013; p 82-98.

slide-16
SLIDE 16

Browser Controls

9

 Web threats

Survey of controls Identification and manageability Control enumeration in browser UIs Browser, Chrome, Firefox, Safari, IE, Opera, Opera Mini Common controls (33) Usability Default values Configurability Unavailability of controls Out-of-the-box protection Usability issues Security-oriented configuration settings UI suggestions

slide-17
SLIDE 17

10

 Availability of controls

 PC vs. smartphone  Smartphones browsers offer less controls

Browser controls

slide-18
SLIDE 18

10

 Availability of controls

 PC vs. smartphone  Smartphones browsers offer less controls

 Blame the sandbox?

 Counterexamples  Android and iOS (10)  e.g. block location data, block third-party cookies, enable DNT,

certificate warning, private browsing, ... (c.f. C.7)

 Android (5)  i.e. block referrer, disable plugin, malware protection, master

password, search engine manager

Browser controls

slide-19
SLIDE 19

Mitigation of web threats

 identified controls (32)  enabled by-default  editable

a) default protection/threat

 Web threats  ICT web threats  Smartphone threats

b) control manageability/threat

11

slide-20
SLIDE 20

Default protection /threat

12.09.2013 - Evaluating the Manageability of Web Browsers Controls

12

slide-21
SLIDE 21

Default protection /threat

12.09.2013 - Evaluating the Manageability of Web Browsers Controls

12

slide-22
SLIDE 22

Default protection /threat

12.09.2013 - Evaluating the Manageability of Web Browsers Controls

12

slide-23
SLIDE 23

Manageability of controls /threat

12.09.2013 - Evaluating the Manageability of Web Browsers Controls

13

slide-24
SLIDE 24

Manageability of controls /threat

12.09.2013 - Evaluating the Manageability of Web Browsers Controls

13

slide-25
SLIDE 25

Manageability of controls /threat

12.09.2013 - Evaluating the Manageability of Web Browsers Controls

13

slide-26
SLIDE 26

Manageability of controls /threat

12.09.2013 - Evaluating the Manageability of Web Browsers Controls

13

slide-27
SLIDE 27

Recommendations

 Functionality-oriented

 Users can disable controls

without confirmation

 Security settings mixed with

  • ther settings

 Security-oriented

all controls configurable &

enabled

discourage changes  certificate warning, malware/

phishing protection

 confirmation for update settings ask default value  block cookies, block location

data, block 3rd party cookies, enable DNT, and master password Vendor Settings & UI Proposed Settings & UI

14

slide-28
SLIDE 28

Recommendations

14

 Proposed settings restrictive

Security vs. user experience Local blacklist

 Per-site configuration of controls

 User awareness

 Users trained to use control(s) correctly  Users aware of web threats

slide-29
SLIDE 29

User practices

15

 Adoption of controls

 Physical attacks  Malicious apps

 Statistical analysis (n=458, Athens, Fall 2011)

  • C6. Mylonas A, Gritzalis D, Tsoumas B, Apostolopoulos T. A qualitative metrics vector for the aware-

ness of smartphone security users. In: 10th International Conference on Trust, Privacy & Security in Digital Business. 2013.p. 173–84.

  • J1. Mylonas A, Kastania A, Gritzalis D. Delegate the smartphone user? Security awareness in smart-

phone platforms. Computers & Security 2013;34(0):47–66.

slide-30
SLIDE 30

User practices against physical access

10

 Physical threat

Survey of controls User survey of adoption Control enumeration in handsets Android, BlackBerry, iOS, Symbian, Windows Phone Common controls

  • Password protection
  • remote locator
  • remote wipe
  • encryption

Adoption of controls Statistical analysis Exposure to physical threat (vulnerability) Risk Assessment method Training

slide-31
SLIDE 31

User practices against physical access

16

 Poor adoption of physical access controls

device password encryption remote data wipe remote device locator none % of adoption 64,4 22,7 15,1 23,1 27,9 10 20 30 40 50 60 70

slide-32
SLIDE 32

User practices against malware

10

 Threat of malicious apps

Survey of controls User survey of adoption Control enumeration by security models Android, BlackBerry, iOS, Symbian, Windows Phone Security indicators

  • security messages
  • reputation
  • reviews

Third-party security software User practices Statistical analysis Exposure to malicious apps (vulnerability) Risk Assessment method Prediction model Training

slide-33
SLIDE 33

User practices against malware

17

 User practises when installing apps from the app repository

Finding 5: Users who occasionally inspect security messages or ignore them at all are more likely to disable encryption Finding 6: Users who always inspect security messages are more likely technically and security savvy users Finding 7: Users who ignore security messages are more likely to also ignore agreement messages

agreement msgs reputation reviews security msgs pirated apps % of adoption 10 8,7 10,5 38,6 60,7 10 20 30 40 50 60 70

slide-34
SLIDE 34

User practices against malware

17

 Poor use of smartphone security software

Finding 5: Poor adoption of physical security controls

Finding 5.1: Encryption (22.7%) Finding 5.2: Remote data wipe (15.1%) Finding 5.3: Remote device locator (23.1%) Finding 5.4: No adoption of any physical security control (27.9%)

Finding 6: Users tend to have disabled smartphone secsoft along with encryption, device password lock and remote device locator

PC secsoft smartphone secsoft secsoft essential searched free smartphone secsoft Unaware of smartphone secssoft % of adoption 85,8 24,5 34,3 40 27 20 40 60 80 100

slide-35
SLIDE 35

User practices against malware

17

 Users believe that installing apps from the repository is secure (~3/4

users)

 These users are exposed to malware

 Unaware users of smartphone malware more likely trust the app

repository

 Users who trust the repository tend to be unaware about smartphone

secsoft

 Users who trust app repository are less likely to scrutinize security msgs

slide-36
SLIDE 36

Malware Mitigation

19

 Prediction model

 Trust repository cannot be otherwise identified

Prediction Model (TrustRepo) User practices, skills Awareness Training Risk Assessment input Risk Assessment input

slide-37
SLIDE 37

Malware Mitigation

19

 Prediction model

 Trust repository cannot be otherwise identified

Prediction Model (TrustRepo) Awareness Training Risk Assessment input Risk Assessment input p = exp(z) / (1 + exp(z)) User practices, skills

slide-38
SLIDE 38

Malware Mitigation

19

 Prediction model

 Trust repository cannot be otherwise identified

Prediction Model (TrustRepo) Awareness Training Risk Assessment input Risk Assessment input z = 1.351*x1 +1.092*x2 -1.688 *x3 +1.523*x4+1.314*x5 -0.475*x6-0.741*x7 User practices, skills

slide-39
SLIDE 39

Malware Mitigation

19

 Prediction model

 Trust repository cannot be otherwise identified

Prediction Model (TrustRepo) Awareness Training Risk Assessment input Risk Assessment input Score\Sample Greek (n=458) UK (n=102) Effectiveness 79.0% 78.4% Type I 74.5% 68.2 Type II 4.0% 8.7% User practices, skills

slide-40
SLIDE 40

Malware Mitigation

19

 Prediction model

 Trust repository cannot be otherwise identified

Prediction Model (TrustRepo) Awareness Training Risk Assessment input Risk Assessment input

  • J1. Mylonas A, Kastania A, Gritzalis D. Delegate the smartphone user? Security awareness in smart-

phone platforms. Computers & Security 2013;34(0):47–66.

User practices, skills

slide-41
SLIDE 41

Malware Mitigation

19

 Risk Assessment for smartphones

 Treats the device’s subassets and not as a whole  Treats permission granting as a vulnerability

Risk Assessment User Impact for assets Risk Value Past incidents, statistics Vulnerabilities

  • C5. Theoharidou M, Mylonas A, Gritzalis D. A risk assessment method for smartphones. In: Proc. of the 27th

IFIP Information Security and Privacy Conference. Springer; AICT-376; 2012. p. 443-456.

slide-42
SLIDE 42

Malware Mitigation

19

 Risk Assessment for smartphones

 Treats the device’s subassets and not as a whole  Treats permission granting as a vulnerability

Risk Assessment User Impact for assets Risk Value Past incidents, statistics Vulnerabilities (asset, permission combination, threat)

slide-43
SLIDE 43

Malware Mitigation

19

 Risk Assessment for smartphones

 Treats the device’s subassets and not as a whole  Treats permission granting as a vulnerability

Risk Assessment User Impact for assets Risk Value Past incidents, statistics Vulnerabilities (asset impact, permission likelihood, threat likelihood)  Threat Risk

slide-44
SLIDE 44

Smartphone Forensics

20

slide-45
SLIDE 45

Smartphone Forensics

20

 What if the ‘good’ guys collect the data?  Can we control its abuse?

slide-46
SLIDE 46

Smartphone Forensics Scheme

20

 A scheme to avoid intelligence gathering Software Agent Interface Independent Authority Evidence DB P1a: Investigation Request P1b: Investigation Session P2: Evidence Type Selection (Execution) P4: Evidence Transmission P3: Collection P5: Storage Investigator Suspect P2: Evidence Type Selection (Request)

slide-47
SLIDE 47

Smartphone Forensics Scheme

21

 Scheme’s processes Investigation Request Investigation Session Evidence Type Selection Evidence Collection Evidence Transmission Evidence Storage Investigation Completion

(1…N)

slide-48
SLIDE 48

Smartphone Forensics

22

 Android implementation

 Mechanisms typically used by attackers  Spyware, botnets, social engineering

slide-49
SLIDE 49

Smartphone Forensics

22

 A scheme to avoid intelligence gathering  Android implementation

slide-50
SLIDE 50

Smartphone Forensics

22

slide-51
SLIDE 51

Future work

24

  • New user study of the adoption of security controls
  • User study on the usability of web browser controls
  • Design and implement standardized interface for web

browsers

  • Study the security models of new platforms
  • Examination of alternative misuse mechanisms for proactive

forensics

slide-52
SLIDE 52

References

26

  • 1. Mylonas, A., Kastania, A., Gritzalis, D., “Delegate the smartphone user? Security awareness in smartphone platforms”, Computers &

Security, Vol. 34, pp. 47-66, 2013.

  • 2. Mylonas, A., Meletiadis, V., Mitrou, L., Gritzalis, D., “Smartphone sensor data as digital evidence”, Computers & Security (Special

Issue: Cybercrime in the Digital Economy), Vol. 38, pp. 51-75, 2013.

  • 3. Mylonas, A., Dritsas, S., Tsoumas, B., Gritzalis, D., “Smartphone security evaluation: The malware attack case”, in Proc. of the

International Conference on Security and Cryptography, SciTePress; p. 25-36, Spain 2011.

  • 4. Mylonas, A., Tsoumas, B., Dritsas, S., Gritzalis, D., “A secure smartphone applications roll-out scheme”, in Proc. of the 8th International

Conference on Trust, Privacy & Security in Digital Business, Springer, LNCS-6863, p. 49-61, 2011.

  • 5. Kandias, M., Mylonas, A., Theoharidou, M., Gritzalis, D., “Exploitation of auctions for outsourcing security-critical projects”, in Proc. of

the 16th IEEE Symposium on Computers and Communications, p. 646–51, Greece, 2011.

  • 6. Mylonas, A., Meletiadis, V., Tsoumas, B., Mitrou, L., Gritzalis, D., “Smartphone forensics: A proactive investigation scheme for

evidence acquisition”, in Proc. of the 27th IFIP International Information Security and Privacy Conference, Springer, AICT-376, p. 249–260, Greece, 2012.

  • 7. Theoharidou, M., Mylonas, A., Gritzalis, D., “A risk assessment method for smartphones”, in Proc. of the 27th IFIP Information Security

and Privacy Conference”, Springer, AICT-376, p. 443-456, Greece, 2012.

  • 8. Mylonas, A., Gritzalis, D., Tsoumas, B., Apostolopoulos, T., “A qualitative metrics vector for the awareness of smartphone security

users”, in Proc. of the 10th International Conference on Trust, Privacy & Security in Digital Business, p. 173–84, Chech Republic, 2013.

  • 9. Mylonas, A., Tsalis, N., Gritzalis, D., “Evaluating the manageability of web browsers controls”, in Proc. of the 9th International

Workshop on Security and Trust Management, Springer, LNCS-8203, p. 82-98, United Kingdom, 2013.

  • 10. Mylonas, A., Dritsas, S., Tsoumas, B., Gritzalis, D., “On the feasibility of malware attacks in smartphone platforms”, in Security and

Cryptography, Springer, p. 217-232, 2012.