Security Challenges Posed by Mobile Devices,

Registry Settings for Mobile Devices,

Authentication Service Security
Security Challenges Posed by Mobile
Devices
• Mobility brings two main challenges to cybersecurity:
• First , on the hand-held devices, information is being taken
outside the physically controlled environment.
• Second remote access back to the protected environment is
being granted.
• Perceptions of the organizations to these cybersecurity
challenges are important in devising appropriate security
operating procedure.
Security Challenges Posed by Mobile Devices
As the number of mobile device users increases, two challenges are presented:
1. At the device level called “microchallenges” and
2. At the organizational level called “macrochallenges.”

Some well-known technical challenges in mobile security are:

1. managing the registry settings and configurations,
2.Authentication service security
3.Cryptography security
4.Lightweight Directory Access Protocol (LDAP) security
5. Remote access server (RAS ) security
6. Media player control security
7. Networking application program interface (API ) security, etc.
Registry Settings for Mobile Devices
Let us understand the issue of registry settings on mobile devices through an
example:
• Microsoft ActiveSync is meant for synchronization with Windows-powered
personal computers (PCs) and Microsoft Outlook.
• ActiveSync acts as the gateway between Windows-powered PC and Windows
mobile powered device, enabling the transfer of applications such as Outlook
information, Microsoft Office documents, pictures, music, videos and
applications from a user’s desktop to his/her device.
• In addition to synchronizing with a PC, ActiveSync can synchronize directly with
the Microsoft exchange server so that the users can keep their E-Mails, calendar,
notes and contacts updated wirelessly when they are away from their PCs.
• In this context, registry setting becomes an important issue given the ease with
which various applications allow a free flow of information.
Registry Settings for Mobile Devices
• Thus, establishing trusted groups through appropriate registry
settings becomes crucial. One of the most prevalent areas where this
attention to security is applicable is within “group policy. "Group
policy is one of the core operations that are performed by Windows
Active Directory.
• There is one more dimension to mobile device security: new mobile
applications are constantly being provided to help protect against
Spyware, viruses, worms, malware and other Malicious Codes that
run through the networks and the Internet.
• The mobile security issues on a Windows platform is that the baseline
security is not configured properly.
Registry Settings for Mobile Devices
• When you get a computer installed or use a mobile device for the first time, it
may not be 100% secure. Even if users go through every Control Panel setting and
group policy option, they may not get the computer to the desired baseline
security.
• For example, the only way to get a Windows computer to a security level that
will be near bulletproof is to make additional registry changes that are not
exposed through any interface.
• There are many ways to complete these registry changes on every computer, but
some are certainly more efficient than others.
• Innocent users may think that for solving the problem of mobile device security
there are not many registry settings to tackle.
• However, the reality is far different! The reality of the overall problem becomes
prevalent when you start researching and investigating the abundance of
“registry hacks” that are discussed in Microsoft Knowledge Base articles.
Authentication Service Security
• There are two components of security in mobile computing: security of devices
and security in networks.
• A secure network access involves mutual authentication between the device
and the base stations or Web servers.
• This is to ensure that only authenticated devices can be connected to the
network for obtaining the requested services.
• No Malicious Code can impersonate (imitate) the service provider to trick the
device into doing something it does not mean to. Thus, the networks also play a
crucial role in security of mobile devices.
• Some eminent kinds of attacks to which mobile devices are subjected to are:
push attacks, pull attacks and crash attacks.
• Authentication services security is important given the typical attacks on mobile
devices through wireless networks: DoS attacks, traffic analysis, eavesdropping,
man-in-the- middle attacks and session hijacking.
Cryptographic Security for Mobile Devices
• Cryptographically Generated Addresses (CGA) is Internet Protocol
version 6 (IPv6) that addresses up to 64 address bits that are
generated by hashing owner’s public-key address.
• The address the owner uses is the corresponding private key to assert
address ownership and to sign messages sent from the address
without a public-key infrastructure (PKI) or other security
infrastructure.
• Deployment of PKI provides many benefits for users to secure their
financial transactions initiated from mobile devices.
• CGA-based authentication can be used to protect IP-layer signaling
protocols including neighbour discovery (as in context-aware mobile
computing applications) and mobility protocols.
Cryptographic Security for Mobile Devices
• It can also be used for key exchange in opportunistic Internet Protocol
Security (IPSec). Palms (devices that can be held in one’s palm) are
one of the most common hand-held devices used in mobile
computing.
• Cryptographic security controls are deployed on these devices.
• For example, the Cryptographic Provider Manager (CPM) in Palm OS5
is a system- wide suite of cryptographic services for securing data and
resources on a palm-powered device.
• The CPM extends encryption services to any application written to
take advantage of these capabilities, allowing the encryption of only
selected data or of all data and resources on the device.
LDAP (Lightweight Directory Access Protocol) Security for
Hand-Held Mobile Computing
Devices
• LDAP is a software protocol for enabling anyone to locate individuals,
organizations and other resources such as files and devices on the
network (i.e., on the public Internet or on the organization's Intranet).
• In a network, a directory tells you where an entity is located in the
network.
• LDAP is a light weight (smaller Attacker Launches blended attack over
rogue ad hoc network (802.11, Bluetooth, infrared) amount of code)
version of Directory Access Protocol (DAP) because it does not include
security features in its initial version.
RAS (Remote Access Server) Security for Mobile Devices
• RAS (Remote Access Server) is an important consideration for protecting the
business- sensitive data that may reside on the employees’ mobile devices.
• In addition to being vulnerable to unauthorized access on their own, mobile
devices also provide a route into the systems with which they connect.
• By using a mobile device to appear as a registered user (impersonating or
masquerading) to these systems, a would-be cracker is then able to steal data or
compromise corporate systems in other ways.
• Another threat comes from the practice of port scanning.
• First, attackers use a domain name system (DNS) server to locate the IP address of
a connected computer. A domain is a collection of sites that are related in some
sense.
• Second, they scan the ports on this known IP address, working their way through
its Transmission Control Protocol (TCP)/User Datagram Protocol (UDP) stack to see
what communication ports are unprotected by firewalls.
RAS (Remote Access Server) Security for Mobile Devices

• For instance, File Transfer Protocol (FTP) transmissions are typically

assigned to port 21.
• If this port is left unprotected, it can be misused by the attackers.
• Protecting against port scanning requires software that can trap
unauthorized incoming data packets and prevent a mobile device
from revealing its existence and ID.
• A personal firewall on a pocket PC or Smartphone device can be an
effective protective screen against this form of attack for the users
connecting through a direct Internet or RAS connection.
Media Player Control Security
• Various leading software development organizations have been warning the
users about the potential security attacks on their mobile devices through the
“music gateways.”
• There are many examples to show how a media player can turn out to be a
source of threat to information held on mobile devices.
• For example, in the year 2002, Microsoft Corporation warned about this.
• According to this news item, Microsoft had warned people that a series of
flaws in its Windows Media Player could allow a malicious hacker to hijack
people’s computer systems and perform a variety of actions.
• According to this warning from Microsoft, in the most severe exploit of a flaw,
a hacker could take over a computer system and perform any task the
computer’s owner is allowed to do, such as opening files or accessing certain
parts of a network.
Networking API Security for Mobile Computing Applications

• With the advent of electronic commerce (E-Commerce) and its

further off -shoot into MCommerce, online payments are becoming a
common phenomenon with the payment gateways accessed remotely
and possibly wirelessly.
• Furthermore, with the advent of Web services and their use in mobile
computing applications, the API becomes an important consideration.
• Already, there are organizations announcing the development of
various APIs to enable software and hardware developers to write
single applications.
Networking API Security for Mobile
Computing Applications
• Most of these developments are targeted specifically at securing a
range of embedded and consumer products, including those running
OSs such as Linux, Symbian, Microsoft Windows CE and Microsoft
Windows Mobile (the last three are the most commonly used OSs for
mobile devices).
• Technological developments such as these provide the ability to
significantly improve cybersecurity of a wide range of consumer as
well as mobile devices. Providing a common software framework,
APIs will become an important enabler of new and higher value
services.