using sensitive information on android based smartphone
play

Using Sensitive Information on Android Based Smartphone Romkevan - PowerPoint PPT Presentation

Apr 10, 2024 •466 likes •811 views

Using Sensitive Information on Android Based Smartphone Romkevan Dijk Android 6: To what extent is sensitive information protected? RQ2 & RQ3 RQ1 Androids security features Requirements Methodology RQ4 Sensitive information

  1. Using Sensitive Information on Android Based Smartphone Romkevan Dijk

  2. Android 6: To what extent is sensitive information protected?

  3. RQ2 & RQ3 RQ1 Android’s security features Requirements Methodology RQ4 Sensitive information sufficiently protected? RQ5 Improvements

  4. Introduction | Stolen Device | Malicious Applications | Exploits | Eavesdropping | Conclusion Related work Contribution • Guidelines generic (NIST) • Why? • Platform specific guidelines (CESG) • How? • Android project • (Individual researcher)

  5. Introduction | Stolen Device | Malicious Applications | Exploits | Eavesdropping | Conclusion “Sensitive information refers to the majority of information processed (or created) by large enterprises or public services that are used in routine business operations and services and could have damaging consequences if lost, stolen or published in the media” Source: Government Security Classifications by CESG (2011)

  6. Introduction | Stolen Device | Malicious Applications | Exploits | Eavesdropping | Conclusion Protect against attackers with bounded capabilities and resources. the majority of criminal investigative journalist competent individual hacker

  7. Introduction | Stolen Device | Malicious Applications | Exploits | Eavesdropping | Conclusion Attack landscape Malicious apps Exploits Eavesdropping Stolen Device Source: Cyber Threats to Mobile Phones by US-Cert

  8. Introduction | Stolen Device | Malicious Applications | Exploits | Eavesdropping | Conclusion Platform integrity Data protection • Application segregation • Data at-rest • Secure boot sequence • Data in-transit • Malicious code execution (detection • Authentication and prevention) • Update policy Based on: “End user device strategy: security framework and controls” by CESG (2013) “Guidelines on cell phone and PDA security” by NIST (2011)

  9. Introduction | Stolen Device | Malicious Applications | Exploits | Eavesdropping | Conclusion Platform integrity Data protection • Application segregation • Data at-rest • Secure boot sequence • Data in-transit • Malicious code execution (detection • Authentication and prevention) • Update policy Based on: “End user device strategy: security framework and controls” by CESG (2013) “Guidelines on cell phone and PDA security” by NIST (2011)

  10. Introduction | Stolen Device | Malicious Applications | Exploits | Eavesdropping | Conclusion To what extent is sensitive information protected on an Android 6 based smartphone? It depends…

  11. Introduction | Stolen device | Malicious Applications | Exploits | Eavesdropping | Conclusion Stolen device • Trusted Execution Environment (TEE) must be implemented • Strong authentication • Up-to-date • Locked bootloader • Mobile Device Management (MDM)

  12. Introduction | Stolen device | Malicious Applications | Exploits | Eavesdropping | Conclusion Secure World

  13. Introduction | Stolen device | Malicious Applications | Exploits | Eavesdropping | Conclusion Platform integrity Data protection • Application segregation • Data at-rest • Secure boot sequence • Data in-transit • Malicious code execution (detection and • Authentication prevention) • Update policy Based on: “End user device strategy: security framework and controls” by CESG (2013) “Guidelines on cell phone and PDA security” by NIST (2011)

  14. Introduction | Stolen device | Malicious Applications | Exploits | Eavesdropping | Conclusion “Encryption keys protecting sensitive data remain in device memory when the device is locked.” Source: End User Devices Security Guidance: Android 6 by CESG (2016)

  15. Introduction | Stolen device | Malicious Applications | Exploits | Eavesdropping | Conclusion Stolen device Up-to-date CVE-2015-3860 “Android 5 <= 5.1.1 does not restrict the number of characters in the passwordEntry input field, which allows physically proximate attackers to bypass intended access restrictions via a long password that triggers a SystemUI crash“ Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3860

  16. Introduction | Stolen device | Malicious Applications | Exploits | Eavesdropping | Conclusion Stolen device Locked bootloader Muller et al. (2013) “FROST: Forensic Recovery Of Scrambled Telephones”

  17. Introduction | Stolen device | Malicious Applications | Exploits | Eavesdropping | Conclusion Authentication • PIN Max entropy 10 4 = 10000 • Pattern “The lock screen authentication MUST rate limit attempts and SHOULD have an exponential backoff algorithm as • Password implemented in the Android Open Source Project.” • Fingerprint Source: http://source.android.com/compatibility/android-cdd.html Solution: MDM, Wipe data after maximum failed attempts

  18. Introduction | Stolen device | Malicious Applications | Exploits | Eavesdropping | Conclusion Authentication What is stronger 4-digit random PINs or the practical entropy of patterns? • PIN • Pattern • Password • Fingerprint Entropy practically 2 10.90 ≈ 1910,85 Source: “Quantifying the security of graphical passwords: The case of android unlock patterns” by Sebastian Uellenbeck et al.

  19. Introduction | Stolen device | Malicious Applications | Exploits | Eavesdropping | Conclusion Authentication Enter complex password??? • PIN • Pattern • Password • Fingerprint

  20. Introduction | Stolen device | Malicious Applications | Exploits | Eavesdropping | Conclusion Authentication Use of lock screen authentication • PIN increased from 50% to 90% on Google Nexus devices. • Pattern Source: Google I/O 2016 Security Update • Password • Fingerprint Artificial gummy fingers

  21. Introduction | Stolen device | Malicious Applications | Exploits | Eavesdropping | Conclusion Authentication What is stronger: fingerprint or 5 Digit PIN? • PIN “MUST have a false acceptance rate not • Pattern higher than 0.002%.” Source: http://source.android.com/compatibility/android-cdd.html • Password 1 1 𝑙 " = 𝐺𝑁𝑆 = 0,00002 = 50000 • Fingerprint 𝑙 " = effective keyspace of biometric authentication 10 5 = 100000

  22. Introduction | Device theft | Malicious Applications | Exploits | Eavesdropping | Conclusion Malicious Application • Trusted Applications (White-listing) • Up-to-date

  23. Introduction | Device theft | Malicious Applications | Exploits | Eavesdropping | Conclusion ANDROIDOS_GODLESS.HRX aka Godless • Targets Android <= 5.1 Source: Trendmicro(2016) “‘GODLESS’ Mobile Malware Uses Multiple Exploits to Root Devices”

  24. Introduction | Device theft | Malicious Applications | Exploits | Eavesdropping | Conclusion Android Security Issues “LG will be providing security updates on a monthly basis which carriers will then be able to make available to customers immediately.” “Samsung Electronics will implement a new Android security update process that fast tracks the security patches over the air when security vulnerabilities are uncovered. These security updates will take place regularly about once per month.” Source: https://www.wired.com/2015/08/google-samsung-lg-roll-regular-android-security-updates/

  25. Introduction | Stolen Device | Malicious Applications | Exploits | Eavesdropping | Conclusion Platform integrity Data protection • Application segregation • Data at-rest • Secure boot sequence • Data in-transit • Malicious code execution (detection • Authentication and prevention) • Update policy Based on: “End user device strategy: security framework and controls” by CESG (2013) “Guidelines on cell phone and PDA security” by NIST (2011)

  26. Introduction | Device theft | Malicious Applications | Exploits | Eavesdropping | Conclusion Exploit • Locked bootloader • Up-to-date

  27. Introduction | Device theft | Malicious Applications | Exploits | Eavesdropping | Conclusion Eavesdropping • Use a the native VPN in Always-On mode • Educate users to not disable this

  28. Introduction | Stolen Device | Malicious Applications | Exploits | Eavesdropping | Conclusion Platform integrity Data protection • Application segregation • Data at-rest • Secure boot sequence • Data in-transit • Malicious code execution (detection • Authentication and prevention) • Update policy Based on: “End user device strategy: security framework and controls” by CESG (2013) “Guidelines on cell phone and PDA security” by NIST (2011)

  29. Introduction | Device theft | Malicious Applications | Exploits | Eavesdropping | Conclusion Conclusion • TEE must be implemented • Strong authentication • Up-to-date • Locked bootloader • MDM • Use a the native VPN in Always-On mode • Trusted Applications (White-listing)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Proposal &amp; Smartphone Sensing Emmanuel Agu What other Android APIs may be useful for

Proposal &amp; Smartphone Sensing Emmanuel Agu What other Android APIs may be useful for

CS 528 Mobile and Ubiquitous Computing Lecture 6a: Other Android UbiComp Components, Tech Talk, Final Project Proposal &amp; Smartphone Sensing Emmanuel Agu What other Android APIs may be useful for Mobile/ubicomp? Speaking to Android

887 views • 50 slides
evil maid on droids or why you should never loose your android smartphone @f0rki 2012-12-06

evil maid on droids or why you should never loose your android smartphone @f0rki 2012-12-06

evil maid on droids or why you should never loose your android smartphone @f0rki 2012-12-06 Agenda evil maids detour: the android boot process attack scenarios unrooted phones adb access rooted phones protecting yourself 2 / 51 Agenda

1.31k views • 85 slides
An Investigation into Energy-Saving Programming Practices for Android Smartphone App Development

An Investigation into Energy-Saving Programming Practices for Android Smartphone App Development

An Investigation into Energy-Saving Programming Practices for Android Smartphone App Development Ding Li and William G. J. Halfond Department of Computer Science University of Southern California Motivation Usability of mobile apps is

460 views • 23 slides
Location Services Introduction A location-based service (LBS) is an information system driven by

Location Services Introduction A location-based service (LBS) is an information system driven by

Lesson 24 Lesson 24 Android Android Location Based Services Victor Matos Cleveland State University Cleveland State University Notes are based on: Android Developers http://developer.android.com/index.html Portions of this page are

531 views • 25 slides
Android Smartphone as a Microphone in SmartRoom System Pavel Y. Kovyrshin, Dmitry G. Korzun

Android Smartphone as a Microphone in SmartRoom System Pavel Y. Kovyrshin, Dmitry G. Korzun

Android Smartphone as a Microphone in SmartRoom System Pavel Y. Kovyrshin, Dmitry G. Korzun Petrozavodsk State University Department of Computer Science Grant KA179 Complex development of regional cooperation in the field of open ICT

576 views • 11 slides
A Component-based Environment for Android Apps Alexander Senier FOSDEM, Brussels, 2020-02-02

A Component-based Environment for Android Apps Alexander Senier FOSDEM, Brussels, 2020-02-02

A Component-based Environment for Android Apps Alexander Senier FOSDEM, Brussels, 2020-02-02 Smartphone Trust Challenges Privilege Escalation 2020-02-02 2 Media Frameworks are not getting simpler. How do we avoid such fatal errors?

742 views • 28 slides
IconIntent : Automatic Identification of Sensitive UI Widgets based on Icon Classification for

IconIntent : Automatic Identification of Sensitive UI Widgets based on Icon Classification for

IconIntent : Automatic Identification of Sensitive UI Widgets based on Icon Classification for Android Apps Xusheng Xiao 1 , XiaoyinWang 2 , Zhihao Cao 1 , HanlinWang 1 , and Peng Gao 3 1 Case Western Reserve University 2 The University of Texas at

491 views • 19 slides
Small Changes, Big Changes: An Updated View on the Android Permission System Yury Zhauniarovich

Small Changes, Big Changes: An Updated View on the Android Permission System Yury Zhauniarovich

Small Changes, Big Changes: An Updated View on the Android Permission System Yury Zhauniarovich Olga Gadyatskaya RAID 2016 Sensitive Resource Protection in Android Android is the most popular mobile OS: - ~ 2 billion of third-party apps

523 views • 24 slides
Android Google Maps Android API V2 Victor Matos Cleveland State University Notes are based on:

Android Google Maps Android API V2 Victor Matos Cleveland State University Notes are based on:

Lesson 25 Android Google Maps Android API V2 Victor Matos Cleveland State University Notes are based on: Android Developers http://developer.android.com/index.html Portions of this page are reproduced from work created and shared by Google

518 views • 41 slides
Lecture 8a: Smartphone Sensing Emmanuel Agu Smartphone Sensing Recall: Smartphone Sensors

Lecture 8a: Smartphone Sensing Emmanuel Agu Smartphone Sensing Recall: Smartphone Sensors

Mobile and Ubiquitous Computing on Smartphones Lecture 8a: Smartphone Sensing Emmanuel Agu Smartphone Sensing Recall: Smartphone Sensors Typical smartphone sensors today accelerometer, compass, GPS, microphone, camera, proximity

898 views • 68 slides
A6: Sensitive Data Exposure A6 Sensitive Data Exposure Sensitive data stored or transmitted

A6: Sensitive Data Exposure A6 Sensitive Data Exposure Sensitive data stored or transmitted

A6: Sensitive Data Exposure A6 Sensitive Data Exposure Sensitive data stored or transmitted insecurely Failure to protect all sensitive data Usernames, passwords, password hashes, credit-card information, identity info Session

415 views • 17 slides
Victor Matos Cleveland State University Notes are based on: Android Developers

Victor Matos Cleveland State University Notes are based on: Android Developers

Lesson 24 Android Location Based Services Victor Matos Cleveland State University Notes are based on: Android Developers http://developer.android.com/index.html Portions of this page are reproduced from work created and shared by Google and

719 views • 49 slides
Total Recall: Persistence of Passwords in Android Jaeho Lee, Ang Chen, Dan S. Wallach

Total Recall: Persistence of Passwords in Android Jaeho Lee, Ang Chen, Dan S. Wallach

Total Recall: Persistence of Passwords in Android Jaeho Lee, Ang Chen, Dan S. Wallach Motivation Memory is not a safe place for sensitive data. Unprivileged attackers can access sensitive data from device memory. Cold-boot attack Heartbleed

566 views • 31 slides
detection with algorithm-based and dermatologist-based smartphone applications: Towards improved

detection with algorithm-based and dermatologist-based smartphone applications: Towards improved

The current state of melanoma detection with algorithm-based and dermatologist-based smartphone applications: Towards improved healthcare access in the Hawaiian Islands Michael Tee MD, PhD University of Hawaii April 4, 2019 Disclosures No

518 views • 15 slides
Services Android Services A Service is an application component that runs in the background, not

Services Android Services A Service is an application component that runs in the background, not

Lesson 22 Lesson 22 Android Android Services Victor Matos Cleveland State University Cleveland State University Notes are based on: Android Developers http://developer.android.com/index.html Portions of this page are reproduced from work

692 views • 26 slides
Victor Matos Cleveland State University Notes are based on: Android Developers

Victor Matos Cleveland State University Notes are based on: Android Developers

Lesson 22 Android Services Victor Matos Cleveland State University Notes are based on: Android Developers http://developer.android.com/index.html Portions of this page are reproduced from work created and shared by Google and used according

895 views • 51 slides
Admissibility of Evidence from Social Media and Eavesdropping; Liability to Child Rep in

Admissibility of Evidence from Social Media and Eavesdropping; Liability to Child Rep in

Admissibility of Evidence from Social Media and Eavesdropping; Liability to Child Rep in Disclosing Unlawfully Obtained Information Most popular forms of Social Media FACEBOOK INSTAGRAM SNAPCHAT TWITTER LINKEDIN WhatsApp

502 views • 17 slides
Cas Casa a Blan Blanca ca Board of Directors Meeting April 14, 2016 Agenda Roll Call Old

Cas Casa a Blan Blanca ca Board of Directors Meeting April 14, 2016 Agenda Roll Call Old

Cas Casa a Blan Blanca ca Board of Directors Meeting April 14, 2016 Agenda Roll Call Old Business I. XI. Call Meeting to Order - Quorum determined Lighthouse Contract II. I. Motion to Excuse Absent Directors XII. New Business III.

461 views • 34 slides
Shenango o Township Lawrence County, , Pennsylvania ia Shenango Township Lawrence County

Shenango o Township Lawrence County, , Pennsylvania ia Shenango Township Lawrence County

Shenango o Township Lawrence County, , Pennsylvania ia Shenango Township Lawrence County Mission Statement 1 Meeting Schedule

1.44k views • 108 slides
I19 Taking Internationalization Beyond the Classroom Mark Mason, International Student

I19 Taking Internationalization Beyond the Classroom Mark Mason, International Student

Nova Scotia Agricultural College I19 Taking Internationalization Beyond the Classroom Mark Mason, International Student Coordinator Nova Scotia Agricultural College Self Introduction: Mark Mason NSAC International Student

282 views • 27 slides
NYM ISSA MEETING Cellular Eavesdropping: an Evidence-based Discussion 12 April 2011 Agenda

NYM ISSA MEETING Cellular Eavesdropping: an Evidence-based Discussion 12 April 2011 Agenda

NYM ISSA MEETING Cellular Eavesdropping: an Evidence-based Discussion 12 April 2011 Agenda Information Paths &amp; The IA Security Gap Cellular &amp; Security Eavesdropping Attack Vectors Protection Methods Information Paths On

533 views • 32 slides
Fault-Tolerant and Secure Data Transmission Using Random Linear Network Coding Pouya Ostovari

Fault-Tolerant and Secure Data Transmission Using Random Linear Network Coding Pouya Ostovari

Fault-Tolerant and Secure Data Transmission Using Random Linear Network Coding Pouya Ostovari and Jie Wu Computer &amp; Information Sciences Temple University Center for Networked Computing http://www.cnc.temple.edu Agenda Introduction

398 views • 19 slides
Extending ISO/IEC 14443 Type A Eavesdropping Range using Higher Harmonics Maximilian Engelhardt 1

Extending ISO/IEC 14443 Type A Eavesdropping Range using Higher Harmonics Maximilian Engelhardt 1

Extending ISO/IEC 14443 Type A Eavesdropping Range using Higher Harmonics Maximilian Engelhardt 1 , Florian Pfeiffer 2 , Klaus Finkenzeller 3 , Erwin Biebl 1 1 Fachgebiet Hchstfrequenztechnik - Technische Universitt Mnchen 2 perisens GmbH 3

379 views • 19 slides
Secure Robust Resource Allocation in the Presence of Active Eavesdroppers using Full-Duplex

Secure Robust Resource Allocation in the Presence of Active Eavesdroppers using Full-Duplex

Secure Robust Resource Allocation in the Presence of Active Eavesdroppers using Full-Duplex Receivers VTC Fall 2015, Boston, USA M. R. Abedi, Modares University, Iran N. Mokari, Modares Univrsity, Iran H. Saeedi, Modars University, Iran H.

821 views • 18 slides

More recommend