Capacity Building through Curriculum and Faculty Development on Mobile Security
With more schools developing teaching materials on mobile application development, the development of mobile security materials is needed. By doing so, the security will become a natural and integral part of mobile application development instead of an add-on components. Moreover, the wealth of sensors and GPS information available in mobile devices allow us to design interesting hands-on materials, such as using sensors to explore randomness in cryptography, and GPS to investigate file protection.
Mobile security is not well represented in the undergraduate computing curriculum. We propose mobile security teaching modules to be integrated into existing undergraduate classes. Our overall goal is to address the needs and challenges of building capacity in mobile security through effective, engaging and investigative approaches. The objectives of this project are:
- Build capacity through curriculum development on mobile security
This objective will address the lack of pedagogical materials for mobile security. We will first develop a course on Mobile Security with a collection of hands-on materials that will improve the ability of students to apply mobile security techniques to solve real-world problems. We will then develop six transferable modules that will be mapped to ISA KAs proposed in CS curricula 2013.
- Build institutional capacity by integrating mobile security modules into curricula
We will integrate six modules on mobile security into existing curricula at four participating institutions: – UTC, TU, SPSU, and CU.
- Build faculty expertise and partnership in mobile security through faculty development
We will hold two faculty summer workshops with the first workshop at UTC and the second workshop at TU in year 2 and 3. Each workshop will have at least 40 participants (with 20 on-site and 20 distant participants). Mobile security teaching materials will be demonstrated and hands-on exercises will be practiced during the workshops.
Mobile security course will cover threats, attacks and defenses of mobile computing platforms spanning across secure coding, cryptography, physical security, secure communication, policy management, and mobile cloud where mobile devices outsource their computing tasks to the cloud. Mobile cloud can take advantage of the inherent benefits of cloud computing through its monitoring, security detection and malware prevention capabilities to protect its mobile customers.Pre-requisiste: master at least one high-level programming language, and college Calculus I.
Topic 1: Introduction to Mobile Computing (slides)
Topic 3: Mobile Security Basics (slides)
Discuss current state and scope of mobile security. Also covers basic measures to stay safe in using mobile devices such as using password, download apps from trusted sources, being alert for unusual behaviors, etc.
Topic 4: Mobile OS Security Model Comparison (slides) Discuss iOS, Android, Windows Mobile, and Blackberry based on their security implementations, to varying degrees, upon five distinct pillars: 1)Traditional access control such as passwords and idle-time screen locking, 2) Application provenance that stamps application with the identity of its author, 3) Encryption that conceals data at rest to address device loss or theft, 4) Isolation (Sandboxing) that limits an application’s ability to access the sensitive data or systems on a device, and 5) Permission-based access control that grants a set of permissions to each application and therefore limits each application to access device data/systems that are within the scope of those permissions
Topic 5 Threats and vulnerabilities in mobile application (slides)
Mobile malware (slides)
Mobile malware engages in a malicious behavior, collects data without a user’s knowledge or approval, gathers sensitive or personally identifiable information, or leaves a security hole in the device. Mobile malware includes: 1) Activity monitoring and data retrieval; 2) System modification such as Android rootkit; and 3) Unauthorized dialing, SMS, and payments such as Premium rate SMS;
Web-based and network-based threats
Web-based and network-based threats take advantages of flaws of web-based applications and networks. They include 1) User Interface impersonation; 2) Client side attacks such as cross-application scripting attack; 3) Server side attacks such as Android Drive-by-Download Attack; 4) Unauthorized network connectivity (exfiltration or command & control); and 5) Wi-Fi sniffing.
Physical threats from lost or stolen devices
The sensitive personal and organization information may be lost together with the hardware itself. The private and sensitive data stored in the phone will be lost together with the phone.
Attackers use techniques to mislead users into downloading malware and spyware unknowingly. The threat includes Repacked apps Update attacks; and Malvertising.
Vulnerabilities of mobile applications
The vulnerabilities caused by errors in design or implementation will expose the mobile data to interception and retrieval by attackers. They will also expose the mobile device or the cloud applications used from the device to unauthorized access. 1) Sensitive data leakage (inadvertent or side channel); 2) Unsafe sensitive data storage; 3) Unsafe sensitive data transmission; and 4) Hardcoded password/keys.
Topic 6 Secure development in mobile computing (slides)
1) Validate input in mobile programming: reject-known-bad; accept-known-good
2) Avoid storing secrets in codes of mobile application
3) Use lease privilege model in for system access
4) Isolate file system and database
5) Impose restriction on access to components
6) Security testing: buffer-over-flow, integer-overflows, format string, etc.
Topic 7 Using cryptography in mobile computing (slides)
1) Cryptography basics: symmetric cryptography, public-key cryptography, hash function and digital signature
2) Protecting stored data
3) Secure key generation and management of mobile devices
4) Mobile phone authentication
Topic 8 Secure communication of mobile devices (slides)
1) How to choose secure communication protocols, such as leveraging SSL for Remote authentication and using HTTPS for web traffic
2) How to validate server privilege boundary in networked applications
3) How to use certificates and avoiding man-in-the-middle
Topic 9 Security Policy and Governance (slides)
1) Manage Permissions to subsystems such as networking, messaging, address book, global positioning system, etc.
2) Manage application provenance: digital signing model, vetting and distribution channel
3) Manage mobile devices: setting the password strength, disabling specific device functions to prohibit potentially risky behaviors, wiping the lost or stolen devices, etc.
4) Secure browser: using the third-party secure web browser that checks the URL against a blacklist or reputation database and then blocks any malicious pages.
5) Enterprise sandbox: dividing the device’s content into different zones for different types of data
Topic 10 Mobile cloud computing – future of mobile computing (slides)
Having applications and services residing in the cloud mitigates the need for installing and maintaining highly complex virus scanning and malware protection on the handsets themselves. 1) Cloud-access protection: To use strong authentication to ensure that only personnel with authorization can access cloud-based services, and 2) identity protection: identify apps, devices, and end users; associate device with users.
Hands-on Labs (Download manual from here)
Lab Manual from Summer workshopInstallation tutorial for Android SDK with Eclipse.
- Installation of JDK
- Installation of Eclipse
- Installation of Android SDK for eclipse
Threats of Lost or Stolen Mobile Devices.
- Remote Lock or Wipe
Unauthorized Mobile Resource Access.
- Authentication: Single Sign-on
- Authentication: Two Factor Authentication
Data, Location and Cryptography Privacy.
- Encryption/ Decryption on SMS-
- Detecting and removing malware via tool
- Mobile Malware Attack : Trojan
- Mobile Malware Defense
- Detecting and removing spyware by tool
- “Penetration Test and Analysis” on Spyware Threat/Attack
- Defence: Reverse Engineering Analysis
- Students learn cryptography basics (concepts, algorithms, techniques, implementation, and evaluation) for mobile apps.
- Students learn basic cryptography implementation for Android mobile security.
- Key Management
- Digital Signature
Secure Coding Module
- Differentiate between secure coding and patching and explain the advantage of using secure coding;
- Identify common security defects in software and describe their potential impact;
- Explain the role secure coding plays in the secure software development process; and
- Analyze the relationship between secure coding and confidentiality, integrity and availability.
- Secure coding,
- Input validation;
- Vulnerabilities in mobile programming,
- Mobile malware,
- Restriction on access to components, and
- Isolation of file system and database
We will investigate into premium rate Short Message Service (SMS) Trojans that have been discovered in Google’s Android Market. We will analyze how the Trojans if installed would send expensive short messages and how they were disguised as free versions of popular apps such as Angry Birds and Cut the Rope. We will be challenged to design solutions to block and scan for mobile Trojans. We will also reflect security strength of the current permission models that heavily depend on end user’s permission and knowledge. We will also evaluate application provenance which are designed to link reputation developers to their mobile applications.
Security Architecture Module
- Understand how to outsource application and data to a cloud in mobile computing which will leverage services provided by cloud providers.
- Deal with the various aspects arising in architecting secure complex systems, such as analyzing and identifying system threats and vulnerabilities, and investigating operating systems security.
- Overview of mobile security,
- Mobile OS security model,
- Security policy and governance,
- Mobile cloud computing,
- Cloud-access protection,
- Identity protection
Hands-on Lab #1:
Race condition is a situation that occurs when multiple processes access and manipulate the same data concurrently. As the same data is modified in a wrong order by multiple processes, the program execution result can be problematic. Such problematic program outcome may be a potential threat or may uncover the sensitive data from the operating system if the program is running with privilege. In this lab, we will provide an Android application with race condition which may cause a potential threat to reveal the GPS location information from the android system. The threat may provide the attacker an opportunity to track the device owner’s geological location. In this lab we will provide the students a problematic android program which has a potential race condition. The program is simply reading a file XYZ from some privileged directory which requires the program to be a setuid program so that the program can get the proper privilege, such as root, when reading the file.
Also, we will provide another android program which runs perfectly to get the geological location (longitude & latitude) continuously from the GPS sensor of the device. The program will continuously write and update the geological location into a file “geolocation.txt”. We treat this file as a sensitive file because it may reveal the device owner’s geological location.
With this setting context, the problematic android program runs in this way: it checks the user permission first in order to decide whether to grant the root privilege; then, it waits for a period, for example 500ns; after that it reads from the file XYZ with the root privilege. The problematic part in this program is the process waiting part. There can be another malicious process creating a symbolic link with the name XYZ and pointing the link to the sensitive file “geolocation.txt” at the same time when the problematic program is waiting. Since the problematic program is now running with root privilege, it may read the information in the sensitive file “geolocations.txt”. In such a way, the problematic program can reveal the device geological location information. Hands-on Lab #2
Both the mobile device and identity of its owner need to be authenticated. We will investigate identity protection and authentication solutions. The identity protection will ensure that only employees with trusted devices that comply with corporate security policy can access corporate applications and data, such as implementing a personal security token or credential on each mobile device.
We will design an authentication mechanis that will authenticate mobile device, its owner, and association of them. Techniques including biometrics, fuzzy vault and zero knowledge authenticated will be employed in the design. We will also analyze the design in face of various threat models such as lost/stolen device, unauthorized access, network sniffing and replay attacks.
Assessment: Students are able to analyze security requirements in identity protection of using mobile devices, to design a solution meeting the requirements, and evaluate their design.
Network Security Module
- Be able to develop their own version of mobile security protocol with customized services including confidentiality, integrity, and authentication. Protected transmission of multimedia data such as image or video using apps will be preferred.
- Overview of mobile security,
- Network-based threats,
- Using secure protocols such as SSL, HTTPS, and using certificates
Hands-on Lab #1:We will experience network covert channel that uses a shared resource, namely a network communications channel, to transfer information in a way that it was not initially designed for. We will exfiltrate data from a secure location to a non-secure location by implementing a network covert channel. We will also evaluate if the covert channel can be detected or prevented by traditional information security protection techniques including firewalls, encryption, or intrusion detection systems. Hands-on Lab #2
Key management deals with several aspects, including key generation, key exchange, key storage, key use, and replacement of keys. Key generation is the first step of key management and it is a crucial step. Keys should be generated in a secure way. A secure way means that the secret key should be generated randomly. The widely used random number generation API does not generate real random numbers. The numbers they generate are called pseudo-random numbers and they are not good candidates for key usage. In practice, in order to gain a more secure key generation method, we can utilize the data of force, gravity, geological location or temperature from the environment to generate a random number seed. Then we can use the seed to generate secret key. In the mobile environment, most cellphones have several sensors which can track the these information. This lab will utilize these mobile environment benefits to generate keys.
Most key generation algorithms need one or more random numbers. However, the “random number” given by the API functions is not truly “random”. These numbers are the so-called pseudo random numbers. Someone can figure it out by reasonable selective guessing. In the security area, this could be a big problem. For this reason, generating truly random seed seems to be a necessity. In this lab, we will provide a new way for generating random numbers – “shake” that helps for generating a random “seed” using external environment information such as geographical location, time, shaking speed, gravity, or others. Since most of the Android smart phones have these related sensors built in, we may utilize these sensors to retrieve the these random data when shaking the device.
We can use accelerometer which is a built-in sensor of Android mobile devices to detect the “shake” event. The onSensorChanged () function of the SensorListener is invoked every time when the sensor values change. The values are a set of coordinates (acceleration) along X-Y-Z axis. We can get the moving speed by following formula: Speed= (Dis (X) + Dis (Y) + Dis (Z))/T
Dis (X), Dis (Y) and Dis (Z) are the moving distance at each axis. T is the interval time. When the speed reaches to certain number, we can assume that there is a shake moving.
Web Security Module
- Understand root causes of web-based attacks
- Be able to design policies governing development of web applications
- Be able to propose countermeasures for web-based attacks, and design solutions for secure web applications
- Overview of mobile security
- Web-based threats such as user interface impersonation
- Client side attacks
- Server side attacks
- Security policy and governance such as secure browser
Hands-on Labs:Cross-Site Scripting (XSS) is a security vulnerability exploited in web application. XSS attacks are mainly exploiting the web application by injecting malicious script to a victim browser. Since the injected scrip can be run on the victim browser, many malicious activities can be carried out, which including victim credential (cookies) theft. This lab we will demonstrate an XSS attack on Android device with a pre-prepared environment. In this lab, students will be provided a message board web application which allows the user to post their comments to the server. The provided message board application does not restrict the user’s input to the application which means that the user can post scripts in their comments. In such a way, when a smart phone user opens this web application using the web browser on the smart phone, the malicious comments which contain the executable scripts will be executed by the smart phone browser. In this situation malicious activities can be achieved such as cookie theft, impersonating the victim using the stolen cookies, or spreading self-propagating XSS worms. In this lab, we need the students to utilize the provided message board application to steal the session ID from a smart phone browser and then using the session ID to forge an HTTP request to post a message using the stolen session ID.
Security Policy and Management Module
- Understand importance of security policies
- Design security policies for mobile devices in an enterprise environment
- Be able to critique and update security plans
- Security policy and governance
- Permission models, sandbox
- Mobile device management
- Application provenance management
When users use personal devices at work, enterprise data may be downloaded and stored in mobile devices. Students will design enterprise security policies that 1) protect enterprise data downloaded or stored in the mobile devices; 2) separate the personal data from enterprise data and protect its privacy; 3) protect enterprise and personal data in lost/stolen devices using techniques such as encryption, remotely locating lost devices, and remotely deleting data from lost/stolen devices.Go back to the top
This collaboration draws its strengths from four institutions at four states: University of Tennessee at Chattanooga (UTC), Tuskegee University (TU), Southern Polytechnic state University (SPSU) and University of Cincinnati (UC). UTC, SPSU and TU have been designated as the CAE/IAE by the National Security Agency (NSA), and will bring their expertise into this collaboration. TU, as a pioneer of minority education, will be instrumental for outreaching efforts, especially for minority students. UC, with their well-designed security program, will provide training to U.S. defense and government contractors through Northrop-Grumman Company.
- Minzhe Guo, Prabir Bhattacharya, Kai Qian and Li Yang, WIP: Authentic Learning of Mobile Security with Case Studies, Frontiers in Education Conference (FIE), October 2013.
- Minzhe Guo, Kai Qian, Ming Yang, KuoSheng Ma, Liang Hong, Li Yang, Android-Based Mobile Sensory System Labware for Embedded System Education, IEEE International Conference on Advanced Learning Technologies (ICALT), Beijing, China, July 2013.
- Ming Yang, Kai Qian, Minzhe Guo, Prabir Bhattacharya, Guillermo Francia, Li Yang, Enhance Computer Networks Learning with Hands-on Mobile Device Based Labware,Proceedings of the ACM Technical Symposium on Computer Science Education (SIGCSE), March 2013.
- Minzhe Guo, Prabir Bhattacharya, Ming Yang, Kai Qian, Li Yang, Learning Mobile Security with Android Security Labware, Proceedings of the ACM Technical Symposium on Computer Science Education (SIGCSE), March 2013.
Andrus and J. Nieh, Teaching Operating Systems Using Android, The 43rd ACM Technical Symposium on Computer Science Education (SIGCSE), Raleigh, NC, 2012.
S.Cooper, L. Perez, and B. Oldfield, Towards Information Assurance Curricular Guidelines, in Proceedings of the 15th Annual Conference on Innovation and Technology in Computer Science Education (ITiCSE), Turkey, June, 2010.
M. Sahami, A. Danyluk, S. Fincher, K. Fisher, D. Grossman, B. Hawthorne, R. Katz, R. LeBlanc, D. Reed, S. Roach, E. Cuadros-Vargas, R. Dodge, R. France, A. Kumar, B. Robinson, R. Seker, A. Thompson, Computer Science Curricula 2013,
URL: http://ai.stanford.edu/users/sahami/CS2013/strawman-draft/cs2013-strawman.pdf, retrieved March, 2012.
Android Drive-by-Download Attack, URL: http://www.infosecurity-magazine.com/view/19909/black-hat-2011-google-android-as-vulnerable-to-driveby-downloads-as-pcs-claims-dasient-research/, retrieved April, 2012.
K. Dunham, Mobile Malware Attacks and Defense, Publisher: Syngress, 1 edition, ISBN-10: 1597492981, November 14, 2008.
S. Fried, Mobile Device Security: A Comprehensive Guide to Securing Your Information in a Moving World, Publisher: Auerbach Publications, ISBN-10: 1439820163, June, 2010.
S. Kaza, B. Taylor, H. Hochheiser, S. Azadegan, M. O’Leary, and C. Turner. Injecting Security in the Curriculum – Experiences in Effective Dissemination and Assessment Design. USA. Proceedings of the 14th Colloquium for Information Systems Security Education, Baltimore, MD 2010.
W. Du, and R. Wang, R. SEED: A Suite of Instructional Laboratories for Computer Security Education (Extended Version). In The ACM Journal on Educational Resources in Computing (JERIC), Volume 8, Issue 1, March 2008.
H. Dwivedi, C. Clark and D. Thiel, Mobile Application Security, Publisher: McGraw-Hill Osborne Media; 1 edition, ISBN-10: 0071633561, January 15, 2010.
Flurry Mobile Apps Put the Web in Their Rear-view Mirror: http://blog.flurry.com/bid/63907/Mobile-Apps-Put-the-Web-in-Their-Rear-view-Mirror, June, 2011.
D. Huang, X. Zhang, M. Kang, and J. Luo, “Mobicloud: A secure mobile cloud framework for pervasive mobile computing and communication,” in Proceedings of 5th IEEE International Symposium on Service-Oriented System Engineering, 2010.
2011 Mobile Threat Report, URL: https://www.mylookout.com/mobile-threat-report, retrieved April, 2012.
D. Maslennikov, SMS Trojans: all around the world, Kaspersky Lab, URL: http://www.securelist.com/en/blog/208193261/SMS_Trojans_all_around_the_world, retrieved April, 2012.
A Window Into Mobile Device Security from Symantec, Symantec Security Response, URL: http://www.symantec.com/podcasts/detail.jsp?podid=b-a-window-into-mobile-device-security, retrieved April, 2012.
OpenIntents. SensorSimulator – openintents – Sensor Simulator for simulating sensor data in real time. – Make Android applications work together. – Google Project Hosting. URL: http://code.google.com/p/openintents/wiki/SensorSimulator, retrieved March 2012.
D. Riley, Using Mobile Phone Programming to Teach Java and Advanced Programming to Computer Scientists, The 43rd ACM Technical Symposium on Computer Science Education (SIGCSE), Raleigh, NC, 2012.
R. Rodger, Beginning Mobile Application Development in the Cloud, Publisher: Wrox Press, ISBN: 1118034694, 2011.
Mobile & Smart Device Security Survey 2010 – Concern Grows as Vulnerable Devices Proliferate, Security Week, by White Paper Team, March 13, 2011, URL: http://www.securityweek.com/mobile-smart-device-security-survey-2010-concern-grows-vulnerable-devices-proliferate-0, retrieved March 2012.
Summer 2011 Device Developers’ Security Report, Security Week, By White Paper Team on August 18, 2011, URL: http://www.securityweek.com/summer-2011-device-developers-security-report, retrieved March 2012.
J. Six, Application Security for the Android Platform: Processes, Permissions, and Other Safeguards. Publisher: O’Reilly Media ISBN-10: 1449315070, December 10, 2011.
B. Taylor, S. Kaza. Security Injections: Modules to Help Students Remember, Understand, and Apply Secure Coding Techniques, Proceedings of the 16th Annual Conference on Innovation and Technology in Computer Science Education (ITICSE), Darmstadt, Germany, 2011.
Cross-Application Scripting Attack, URL: http://blog.watchfire.com/wfblog/2011/08/android-browser-cross-application-scripting-cve-2011-2357.html, retrieved April, 2012.