Mobile Application Security Issues - Case Study Example

of the of the 4th April Security of mobile devices is now one of the most critical success factors for an enterprise and ‘Information Technology’ decision makers. As mobile applications and mobile devices are now ubiquitous in the corporate market, they bring a vast variety of security concerns with them. There are many poorly developed applications and mobile operating systems with lots of security vulnerabilities that hacker can exploit. The statistics demonstrates the numbers of attacks are astounding and increasing day by day. No ‘secure coding’ standards are followed while developing architecture and functionality in the code. The focus is only on functionality of the application rather than the focus on security modules, preventing enumeration, availability and confidentiality. We will address all these issues in this study backed by surveys, reports that will demonstrate advanced threat modeling examples and their mitigation, implementing effective controls for preventing mobile application security breaches. Introduction The use of mobile devices is rapidly increasing, as “Forrester estimates that the revenue from paid applications on Smartphones and tablets was $2.2 billion worldwide for 2010 with a CAGR of 82% through 2015” (Rachwald 19). As per the report published by Forrester Research, the security risks of mobile devices are transferring to applications (Frenkel 1-1). Same techniques were followed by hackers to comprise network layer that may not limited to routers, switches and then moving on to hit the ‘presentation layer’ and ‘application layer’. Likewise, the research cited several sources for embedding security for mobile applications. The issues are categorized below (Frenkel 1-1): (1) The ‘chief information security office’ or any related security team in an enterprise does not have control or transparency over mobile networks and devices connected to it. Likewise, the vulnerabilities of the mobile operating system do not provide any linking between the threats that may impact them. Consequently, the first line of defense is to mitigate risks that are identified. (2) There is a scenario where employees are using multiple mobile devices at home as well as in the office and in between business trading, as they utilize strategic organizational data, the devices will be patched more regularly, as compared to traditional patch management in the enterprise. The study conducted from the organization named ‘Webroot’ concludes that more than 83% ‘IT’ staff believes the utilization of mobile devices is a high risk of security for enterprises (Frenkel 1-1). Likewise, the increased risk factor pushes organizations to spend more efforts and money to fill the gaps associated with mobile devices and at the same time making their employees more productive. Mobile Threats ‘Mobile threats’ now incorporate a variety of sources. Fig 1 demonstrates the mobile environment and number of sources from where these threats can be executed. Figure 1 Source: (Jain and Shanbhag 28-33) Mobile Malware Malware is already a massive concern for the PC world and now it has started targeting mobile phones, making them spam generating machines rather than ‘communication device’. For instance, spyware is a serious issue now targeting mobile version more effectively, as a result, the privacy of mobile data is compromised. There are only few applications transmitting the phone call and message logs undetectably to external sources. One of the applications that perform similar activities is known as ‘Flexispy’ (Hypponen 70-77). However, there is a possibility of an ‘eaves dropping’ attempt for installing the spying application on the phone. The days are not far when the hackers will embed the same characteristics and automate the eavesdropping process. There are now many recording feature available in a mobile device and care should be taken to perform security risk assessment for mitigating threats that may misuse these applications and services and invade privacy. Currently, mobile application developers have primarily focused on social engineering or activities leading users to install malicious code on mobile devices. Likewise, some of the applications have a legitimate behaviour at the ‘front end’ but the back end is hidden from the user, a prime example of this type of application is a computer or mobile game. Apart from games, there are still some unique ‘malware’ such as ‘Comm’ warrior and ‘Cabir’ that can successfully compromise communication devices via Bluetooth. The awareness of security is not optimal and people do accept the file instead of reading a warning message indication about a security risk. For ‘bring your own device’, a survey consisting of several organizations shows a robust increase in exposure of risks associated with enterprise data residing on the mobile devices. At the same time, organizations ‘brawl’ to tackle these risks, as they continue to rise (Musthaler, Linda). Mobile Browser Vulnerability For exploring the attack magnitude for Heart-bleed, we need to clarify what SSL and, by extension, ‘OpenSSL’ are and then learn exactly what they do. SSL (Secure Sockets Layer) is a security standard that allows secure transmission of information to occur between you and a service without the risk of interception of vital information by a third party. OpenSSL is merely an ‘open-source project’ updated and sustained by volunteers with the contribution of a well-informed community of programmers (Messmer 10-10). The mobile device needs to communicate to a server so that the SSL can work. To achieve this, it sends out a “heartbeat.” This heartbeat is responsible for giving off a specific signal to a server to check whether that server is online. In case, the server is online, it transmits that signal straight back to the mobile device, letting us enjoy secure communications. Both the computer and the server send out heartbeats during regular intervals to ensure that both the user and the server i.e. the service are not off-line (Messmer 10-10). Heartbleed exploits this “heartbeat” by sending out, a kind of heartbeat signal to servers that is malicious in nature. That malicious heartbeat more or less tricks the server into sending a random amount of its memory to the user who sent the malicious heartbeat. A random collection of email addresses, usernames and passwords can be enclosed in that memory. Some of those suspicious records could belong to the company running that server. This affords hackers with a method of infiltrating and exploiting information across the Internet. Hilton’s Case As stated by an Investigative reporter Brian Krebs, two Bancsec researchers, JB Snyder and Potter and came to know about a security loophole through which an attacker recently accessed accounts of Hilton HHonors. This action was carried out by entering the account number and password. Snyder and Potter realized that they can easily hack other Hilton HHonors accounts simply by signing in, modifying the HTML content and had the page refreshed. This hacking can cause serious damage as it allows the hacker to use that account completely as if it is his own account. He can do various things including password change, all bookings made previously and currently, change in personal identifiable information and worst of all, and the hacker can enjoy the reward points given by Hilton for travelling and other activities. According to Snyder assumptions the reason for hacking is a term known as ‘cross site request forgery’. But in this matter liability was quite dangerous because logged in clients don’t need to re-submit their passwords. Snyder’s discussion about this matter with Krebs was that if Hilton had detailed personal identifiable information then they ought to have some Web Application tests. In order to check the drawbacks researchers, Snyder and Potter have Krebs’s account number and within few seconds, the id was hacked, screenshots of the account pages were also available for evidence. Hilton published this message “any individual who change his password before April 1st. 2015 will be awarded 1000 free points”. This announcement was a disaster during that time period. An email was sent to Hilton confirms the removal of threat and praises the team members for keeping the continuous check on the online uploaded information as the company takes serious initiative in keeping safe the personal information of their clients. In response to this email Kreb reported that the problem was fixed. ‘Red Seal’ chief evangelist Steve Hultquist statement given to ‘eSecurity Planet’ states that it is quite difficult to check a specific system and there are chances of threats even from the simplest websites and to avoid these, systems need to be updated and analyzed properly. A core team of roughly 20 J.P. Morgan employees headed by its chief operating officer, Matt Zames, supervised the response from the organization to a possible cyber-attack. For USB virus, a philosophical split among security researchers is evidenced by Caudill’s statement: “There are those who opt to hide the flaws, they discover, beneath wraps so as to protect the public explicitly, and then there are others that rely on disseminating their software exploits considering it the most effective way to pressurize the industry to fix security flaws without delay. In an interview with Wired, Caudill said that even though this particular flaw had not been employed by hackers to date”. He imagines that well-funded corporations, like the NSA, have already acquired the capability and might as well be using it. The device’s firmware controls its basic functionality and this is the location where the malware is stored (USB Stick Caused Virus02). Thus, its detection becomes very challenging and on top of that the malware can’t also be deleted by clearing the storage contents. Caudill, additionally exhibited how the malware can be used to conceal files and disable password-protected security features, secretly. August 1 witnessed the organization announcing the email addresses of 76,000 users and encrypted passwords of 4,000 users of the Mozilla Developer Network were vulnerably open for 30 days’ time period following the storage of a database dump file on a publicly accessible server (McHale 33-43). A new data security breach that has been disclosed on Wednesday is apparently comparable as it was also brought about due to leaving ‘database dump files’ in an exposed location on a server for approximately three months beginning May 4th. According to Mark Côté, the Bugzilla project’s assistant lead; the files had been created during the migration of an experimental server for primary builds of the bug tracking software. Moreover, for Sandworm, Mozilla and SSL Poodle, Cisco has verified the presence of this vulnerability and thus released a software patch. The vulnerability is identified by Oksana and duly reported to Cisco by HPs Zero Day Initiative. Proactive Protection Hackers are designing threats with attack vectors initiating from the source end rather that going specifically for each communication device. For instance, mobile malware and mobile browser threats are targeting the communication devices from the host end and designed in a way to transfer the payload from destination to source. For this reason, organizations need to protect core devices rather than focusing on end user antivirus or antimalware solutions. Likewise, contemporary business tendencies are unified to expedite processes and functions by means of computing procedures. Organizations preserve mission critical data on servers that are protected by proficient hardware based or software based security applications on a truncated cost. CEO is committed to take actions after a security breach, as in case of Apple security breach, following factors are obligatory to bear the consequences associated with it in a resourceful manner. These factors are (Calder ): Identification of the concerned staff related to security protection and prevention of data assets on the communication device or network. There must be security objectives that illustrate risk mitigation methods that must be followed in every phase of the network i.e. maintenance phase, expansion face, security breach phase etc. Benchmark testing is essential at this point as it will highlight the overall structure of the current network with weak security boundaries so that security professionals can summarize what has actually happened and how to repair it. The traces from the system are removed to a limit possible as hackers do not want anyone tracing them. In fact, there are cases where hackers gain access to networks for a long time without exploiting their presence. In that case, logs are the ultimate weapon for eliminating there hidden access. There is a requirement for a recovery plan in order to recover quickly from a security breach. A recovery plan may include list of actions to perform in less time and hence may save the reputation of the company. Staff training is also an essential factor. In training sessions, usage of social networking sites must be prohibited, as it will facilitate the hacker even more. For instance, if there is a security breach in an organization, every employee must be restricted to social networking sites, as they tends to share the status of the workstation as offline/ online. All the security-concerned personnel must focus on limiting the exploitation of the breach from spreading to other parts of the network as well. For detecting the characteristics of the security breach on immediate basis, preliminary assessment is an essential task to perform. The task provides characteristics of the threats that facilitate to develop a plan, containing all the actions that need to be followed. As per the scenario, email addresses of thousands of people were compromised. It is the responsibility of an organization to notify their valued customer, what has happened, and what will be the consequences linked with the breach. There are many methods to notify the customer. For example, email, telephone, SMS etc. Security Breach Notification via Email Whenever, organizations are affected by a hacking attempt or security breach, support staff constructs an email and forwards it to all the customers. An example of an email is given below: Dear Valued Customer, Our security team has revealed a security breach on 10 June 2010, conceding 114,000 email addresses of our respected customers. In order to trail and remove the threat from the network, we have implemented some tasks in order to guarantee your safety, the tasks are: We have shutdown email services momentarily for all the users. We have established a committed highly skilled security team to dissect and penetrate in-depth exploration and analysis of the security breach along with its reason of occurrence. Hardware and Software based security modules are gauged in order to find a probability to add security at the utmost level. We considerably appreciate your lenient and co-operating insolence during this time, as our committed security team is reconnoitering the security breach in order to provide imperative solution. For the moment, examination is in practice, group of individuals have accomplished access to the following information: Email addresses All the information available in the e-mail body If you receive any call asking too much personal information or confirming bank accounts or credit card numbers, please be aware as it is not necessary that these people are honest. Be contingent on the information shared in emails, there may be other dimensions of the invasion of this security breach. Kindly reconcile bank account statements, credit reports, and other possible things that you assume relevant to the scenario. Moreover, there is also a likelihood of identity thefts and financial losses. We need your mutual support and sympathetic attitude on this security breach. Thanks again for your co-operation and patience. Apple Inc. Moreover, antivirus solution will prevent mobile malware to penetrate within the mobile operating system (Leonard). Likewise, antivirus can nonetheless generate alerts of any suspicious software, if not removed or mitigated. Moreover, they also detect and quarantine the malicious software for further destruction. Mobile phone manufacturers need to enforce controls for installing and updating antivirus or firewall on first use. Similarly, ‘heart-bleed’ infection can be prevented by installing patches provided by the company. The Shellshock vulnerability is a big concern since it eliminates the necessity for specialized knowledge and in turn offers a simple (unfortunately, very basic) means of taking control of another computer or even a web server to make it run code. For USB virus and ‘bugzilla’, every technology employee needs to reset passwords and concerned personnel had their accounts disabled, as per people accustomed to the banks response. It has been reported that, hundreds of employees between J.P. Morgans technology and cyber security teams have labored to inspect data on more than 90 servers that were compromised, since mid-August. Conclusion We have thoroughly discussed mobile security issues associated with all layers of the ‘OSI model’. Likewise, recent threats are discussed in detail along with their behavior and triggers that led them to successfully breach the network or mission critical data of an enterprise. Moreover, we have also discussed the mitigation strategies of these varieties of threats. One should understand the risk tolerance level in order to mitigate or make remediation strategies for an organization. As mobile phone are becoming more and more sophisticated, there is a need for embedding layers of security on servers/hosts that can be controlled by IT staff of an enterprise. Further, awareness among employees is essential for mitigating a good percentage of these threats that are now known advanced persistent threats. In addition, we have also discussed the response/decisions/line of action required from executive management for incidents or security breaches that may or may not impact directly to communication devices. Work Cited Frenkel, Karen A. "Mobile Apps Need Better Security." CIO Insight (2013): 1-. Print. Hypponen, Mikko. "Malware Goes Mobile." Scientific American 295.5 (2006): 70-7. Print.  Messmer, Ellen. "Symantec Finds Porn Sites most-often Exploited." Network World 28.2 (2011): 10-. Print. USB Stick Caused Virus. Nelson Mail, The, 2010. Print. McHale, Nina. "Managing Library IT Workflow with Bugzilla." Code4Lib Journal.11 (2010): 33-43. Print. Jain, A. K., and D. Shanbhag. "Addressing Security and Privacy Risks in Mobile Applications." IT Professional 14.5 (2012): 28-33. Print. Rachwald, Rob. "Mobilizing for Mobile Security." 07; 2015/4 2011: 19. Print. Leonard, R. Application Control 40 Success Secrets - 40 most Asked Questions on Application Control - what You Need to Know. Emereo Publishing, 2014. Print. Calder, Alan. Ten Rules of Information Security for the Smaller Business. Ely: IT Governance Pub, 2008. Print. Read More