skip to main content
10.1145/2661694.2661696acmconferencesArticle/Chapter ViewAbstractPublication PagesfseConference Proceedingsconference-collections
Article

Attack surfaces for mobile devices

Published: 17 November 2014 Publication History

Abstract

Mobile platforms represent an increasing valuable target for adversaries. This paper discusses attack surfaces – points of attack – that mobile devices present. Several important mobile device capabilities in communication, computation and sensors enable attack surfaces not usually seen in desktop or server systems. These attack surfaces are not generally considered in recommendations from current secure software development lifecycles. Mitigation of the threats or reduction of the attack surfaces is needed when constructing secure mobile software.

References

[1]
UL, Functional Safety Takes Center Stage as Robotics Technologies Evolve, http://www.ul.com/global/eng/pages/offerings/industries/pow erandcontrols/functional/robotics/
[2]
Neaves, T., Software Development and Information Security, Masters Thesis, University of London, 2006, https://www.owasp.org/images/3/35/Software_Development _And_Information_Security-Tom_Neaves.pdf
[3]
Heffley, J. and Meunier, P., Can Source Code Auditing Software Identify Common Vulnerabilities and Be Used to Evaluate Software Security?, Proceedings of the 37th Hawaii International Conference on Systems Sciences, (2004), 1-10.
[4]
Woody, C., Embedding Security into a Software Development Methodology, EDUCAUSE Security Professionals Conference, 2005, http://www.educause.edu/ir/library/powerpoint/SPC0562B.p ps
[5]
Federal CIO Council and Dept of Homeland Security, Mobile Security Reference Architecture, (May 23, 2013), https://cio.gov/wpcontent/uploads/downloads/2013/05/Mobile-Security-Reference-Architecture.pdf
[6]
Allen, J.H., Barnum, S., Ellison, R.J., McGraw, G. and Mead, N.R., Software Security Engineering, Addison-Wesley (SEI Series – A CERT Book, 2008)
[7]
Avizienis, A., Laprie, J.C., Randell, B. and Landwehr, C., Basic Concepts and Taxonomy of Dependable and Secure Computing, IEEE Transactions on Dependable and Secure Computing, 1 (1 Jan-Mar 2004), 11-33.
[8]
Howard, M. and Lipner, S., The Security Development Lifecycle, Microsoft Press, 2006.
[9]
Stamos, A., Mobile Application Security: Promises and Pitfalls in the New Computing Model, California CIO Office, http://www.cio.ca.gov/OIS/Government/events/documents/M obile_Application_Security.pdf
[10]
OWASP (Open Web Application Security Project), Attack Surface Analysis Cheat Sheet, April 7, 2014, https://www.owasp.org/index.php/Attack_Surface_Analysis_ Cheat_Sheet
[11]
Manadhata, P.K. and Wing, J., An Attack Surface Metric, IEEE Transactions on Software Engineering, 37, 3 (May/June 2011), 371-386.
[12]
VIA Forensics, 42+ Best Practices Secure Mobile Development for iOS and Android, https://viaforensics.com/resources/reports/best-practices-ios- android-secure-mobile-development/
[13]
Hernan, S., Lambert S., Ostwald, T. and Shostack, A., Uncover Security Design Flaws Using the STRIDE Approach, MSDN Magazine, (Nov 2006), http://msdn.microsoft.com/en-us/magazine/cc163519.aspx
[14]
Stevens, R, Ganz, J., Filkov, V., Devanbu, P. and Chen, H., Asking for (and about) Permissions Used by Android Apps, The 10th Working Conference on Mining Software Repositorie, (San Francisco, CA, May 18-19, 2013), 31-37.
[15]
Flynn, L., Analysis of Android Applicability: CERT's Java Coding Guidelines, May 13, 2014, https://www.securecoding.cert.org/confluence/display/java/A nalysis+of+Android+Applicability%3A+CERT%27s+Java+ Coding+Guidelines
[16]
La Polla, M., Martinelli, F. and Sgandurra, D., A Survey on Security for Mobile Devices, IEEE Communications Surveys & Tutorials, 18, 1 (First Quarter 2013), 446-471.
[17]
DePeppe, D. Mobile Devices & Cybersecurity: Mobility as an Attack Surface, ITU-IMPACT Mobile Security (Bangkok, Jun 25-28, 2013), http://academy.itu.int/moodle/pluginfile.php/54120/mod_res ource/content/1/ITU_Mobile-Bangkok-DePeppe.pdf
[18]
Codenomicon, http://www.codenomicon.com/solutions/developers.shtml
[19]
Tripwire, How Target’s Point-of-Sales System May Have Been Hacked, http://www.tripwire.com/state-ofsecurity/vulnerability-management/targets-point-sale-systemcompromised/
[20]
Wikipedia, List of software-defined radios, (June 1, 2014), http://en.wikipedia.org/wiki/List_of_software-defined_radios
[21]
Bond, M., Choudary, O., Murdoch, S.J., Skorobogatov, S. and Anderson, R., Chip and Skim: cloning EMV cards with the pre-play attack, IEEE Symposium on Security and Privacy, (San Jose, CA, May 18-21, 2014)
[22]
Nohl, K., Attacking Phone Privacy, BlackHat 2010 Lecture Notes, https://srlabs.de/blog/wpcontent/uploads/2010/07/Attacking.Phone_.Privacy_Karsten. Nohl_1.pdf
[23]
Donohue, Brian, Weak Encryption Enables SIM Card Root Attack, Threat Post, Aug 1, 2013, http://threatpost.com/weak-encryption-enables-sim-cardroot-attack
[24]
Nohl, K., Rooting SIM Cards, BlackHat Conference (Las Vegas, July 31, 2013), also Security Research Labs blog, https://srlabs.de/rooting-sim-cards/
[25]
Olson, P., SIM Cards Have Finally Been Hacked, And The Flaw Could Affect Millions Of Phones, Forbes (online),(Jul 21, 2013), http://www.forbes.com/sites/parmyolson/2013/07/21/simcards-have-finally-been-hacked-and-the-flaw-could-affectmillions-of-phones/
[26]
Erdogmus, N., Marcel, S., Spoofing 2D Face Recognition Systems with 3D Masks, IEEE Sixth International Conference on Biometrics: Theory, Applications and Systems, (Washington, DC, Sept 29-Oct 2, 1983).
[27]
Vaas, L., $80 million yacht hijacked by students spoofing GPS signals, NakedSecurity, (July 31, 2013), http://nakedsecurity.sophos.com/2013/07/31/80-millionyacht-hijacked-by-students-spoofing-gps-signals/
[28]
Tippenhauer, N.O., Popper, C., Rasmussen, K.B. and Capkun, S., On the Requirements for Successful GPS Spoofing Attacks, 18th ACM Conference on Computer and Communications Security, (Chicago, IL, Oct 17-21, 2011).
[29]
Hund, R., Willems, C. and Holz, T., Practical Timing Side Channel Attacks Against Kernel Space ASLR, 2013 IEEE Symposium on Security and Privacy, (San Francisco, CA, May 19-22, 2013),191-205.
[30]
Klieber, W., Flynn, L., Bhosale, A., Jia, L. and Bauer, L., Android taint flow analysis for app sets, Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis, (Edinburgh, Scotland, June 12, 2014)1-6.
[31]
Chan, P.F., Hiu, L.C.K. and Yiu, S.M., DroidChecker: Analyzing Android Applications For Capability Leak, ACM Conference on Security and Privacy in Wireless and Mobile Networks, (Tucson, AZ, Apr 16-18, 2012), 125-135.
[32]
Nishijima, S., Saito, M. and Sugiyama, Single-Chip Baseband Signal Processor Software-Defined Radio, FUJITSU Sci. Tech. J., 42 (April 2006), 240-247.
[33]
Rowen, C., Ultra-Low-Power Software-Defined Radio for LTE Wireless baseband: an embedded systems grand challenge, Tensilica, (March 18, 2010), http://arstechnica.com/tech-policy/2012/07/how-softwaredefined-radio-could-revolutionize-wireless/
[34]
Research and Markets, Software Defined Radio in Mobile Phones, (Dublin 8, Ireland, November 2007) http://www.researchandmarkets.com/reports/568646/
[35]
Tuttlebee, W.H.W., Software Defined Radio: Baseband Technologies for 3G Handsets and Basestations (Wiley Series in Software Radio) (Feb 13, 2004).
[36]
Shimpi, A.L. and Klug, B., NVIDIA Tegra 4 Architecture Deep Dive, Plus Tegra 4i, Icera i500 & Phoenix Hands On, AnandTech (Feb 24, 2013), http://www.anandtech.com/show/6787/nvidia-tegra-4architecture-deep-dive-plus-tegra-4i-phoenix-hands-on/

Cited By

View all
  • (2023)AppChainer: investigating the chainability among payloads in android applicationsCybersecurity10.1186/s42400-023-00151-26:1Online publication date: 2-Aug-2023
  • (2019)Modeling and reducing the attack surface in software systemsProceedings of the 11th International Workshop on Modelling in Software Engineerings10.1109/MiSE.2019.00016(55-62)Online publication date: 26-May-2019
  • (2019)Attack Surface Identification and Reduction Model Applied in Scrum2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security)10.1109/CyberSecPODS.2019.8884956(1-8)Online publication date: Jun-2019
  • Show More Cited By

Index Terms

  1. Attack surfaces for mobile devices

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    DeMobile 2014: Proceedings of the 2nd International Workshop on Software Development Lifecycle for Mobile
    November 2014
    18 pages
    ISBN:9781450332255
    DOI:10.1145/2661694
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 17 November 2014

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. Mobile development
    2. Mobile security
    3. Secure development lifecycle

    Qualifiers

    • Article

    Funding Sources

    Conference

    SIGSOFT/FSE'14
    Sponsor:

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)3
    • Downloads (Last 6 weeks)0
    Reflects downloads up to 14 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2023)AppChainer: investigating the chainability among payloads in android applicationsCybersecurity10.1186/s42400-023-00151-26:1Online publication date: 2-Aug-2023
    • (2019)Modeling and reducing the attack surface in software systemsProceedings of the 11th International Workshop on Modelling in Software Engineerings10.1109/MiSE.2019.00016(55-62)Online publication date: 26-May-2019
    • (2019)Attack Surface Identification and Reduction Model Applied in Scrum2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security)10.1109/CyberSecPODS.2019.8884956(1-8)Online publication date: Jun-2019
    • (2018)Secure and Dynamic Memory Management Architecture for Virtualization Technologies in IoT DevicesFuture Internet10.3390/fi1012011910:12(119)Online publication date: 30-Nov-2018

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media