Build a more secure, mobile cloud environment

Common mobile cloud vulnerabilities and solutions to secure them

Users and providers of mobile device access to cloud environments can expect cyber attacks to continue to exploit weaknesses in cloud networks; however, many lessons from the early days of securing desktop environments have carried over to mobile cloud computing. In this article, the author illuminates mobile cloud security issues by looking at the current state of cloud security breaches, vulnerabilities of mobile cloud devices, and how to address those vulnerabilities. He also discusses potential future issues in securing the mobile cloud and opportunities for developers.

Share:

Preston A. Cox, Mobile cloud consultant

Preston CoxPreston Cox is a mobile cloud consultant with a broad range of application development experience. He completed a successful career with one of the world's largest aerospace defense companies, and in the spirit of turning swords into plowshares, he is co-building a geolocation mobile app business—EventRadar, LLC. He is also creating a collaborative presence in the cloud for a multinational nonprofit organization. In his spare time, Preston creates family-oriented iPhone apps. He is a member of ACM, IEEE, the Linux Foundation, and the CSIX Cloud Computing SIG.



24 June 2011

Also available in Chinese Japanese Spanish

Cyber attacks against mobile platforms, especially smartphones, grew in 2010 according to the McAfee Threats Report: Fourth Quarter 2010 published by McAfee Labs (see Resources). The need to understand the threats and what to do about them is obvious given the current ongoing boom in the convergence of mobile platforms and cloud computing that defines mobile cloud computing.

The McAfee report also suggests that the mobile threat environment is fluid as new mobile platforms appear and as criminals explore new exploits. This evolving threat environment is having an impact on some businesses. For example, Google has been in the news lately because of difficulties in completing contracts to bring cloud-based e-mail services to some state and local governments. Part of the problem, according to Google press releases, relates to changing federal security guidelines, which make it difficult to deliver a solution.

What can be done to protect against the growing and changing security threat environment? Desktop security is an issue that businesses have faced for years. Lessons learned have been carried into cloud computing. In fact, cloud security is a topic that many vendors have addressed and present as a feature of their cloud offerings. Some vendors tout their security certifications obtained from sanctioning entities. Yet, there is a perception that lessons learned in the desktop world all too quickly become lessons forgotten in the mobile world. Mobile devices are still perceived by many as being vulnerable to security attacks.

This article addresses mobile cloud security issues by looking at the current state of security attacks in the cloud, vulnerabilities of mobile cloud devices, and how those vulnerabilities are being addressed. Future issues for securing the mobile cloud are also discussed, and opportunities for developers are noted.

Mobile cloud computing and security threats

There was a time when hackers were motivated by notoriety or curiosity. However, news reports in recent years show that now a primary motivation for hacking is financial gain. For example, at the time this article was written, the British news journal, The Register, reported the arrest of a group of individuals who used a strain of Trojan malicious software (malware) in an attempt to siphon off US$1.7 million from Finnish bank accounts. Other recent news items include reports of a 400 percent increase in Android malware.

The McAfee report mentioned earlier stated that while the mobile threat growth is steady, the volume of threats is much less than for personal computers. However, predictions are that the mobile cloud market will be valued at US$9.4 billion by 2014. As the mobile cloud grows with the increasing proliferation of smartphones, you can expect smartphones to be increasingly attractive to criminals looking for one more entry into potentially lucrative cloud businesses. Now is a good time to understand the security threat to the mobile cloud and to begin to prepare for an inevitable increase in security threats. Begin by taking a quick look at the current state of hacking to gain some insight into the mobile cloud security threat.

When discussing mobile cloud security threats, the primary concern is threats to smartphones and tablet platforms. These threats can be divided into three categories:

  • Physical threats
  • Threats to mobile network security
  • The threat of malware

Physical threats

There are three basic types of physical threats to mobile devices: Lending, loss, and theft. Of these three, theft is the most obvious because the act itself is malicious. Statistics are difficult to find for these categories, but some reports indicate physical losses might range from 12 to 35 million per year. (These numbers are for mobile phones because smartphone and tablet statistics aren't readily available.) Thefts data are even more difficult to find.

Lending a mobile device to a family member or friend may seem harmless but does raise the possibility of enabling that person to access data or applications to which that person is not authorized. There is also the possibility of enabling access to an Internet site that might pose a danger to the smartphone by downloading malware, for example.

Mobile devices that are lost or stolen raise the issue of misuse of data on the device as well as misuse of the device itself. Mobile devices feature a pin-based or password-based lockout capability. However, this feature is often not used by owners. Even when the lockout feature is enabled, though, there are ways to subvert the lockout. For example, you can obtain access to an iPhone by automounting the smartphone via a Universal Serial Bus (USB) connection to a computer and bypassing the lockout. Circumvention of lockouts for other smartphone types is similarly possible.

Developers can add an extra layer of application and data-level security when critical data is controlled by their software. Certainly not all applications access critical data, but developers of those that do can enhance the security of their applications by building in access control.

Developers can also be cognizant of where data is stored on a smartphone. Subscriber identity module (SIM) cards typically hold subscriber and contact data and text messages. These cards can easily be removed from many devices and read by anyone. Developers should not store any data on a SIM card that does not need to be stored there.

The mobile cloud also offers some degree of protection against data loss resulting from a lost or stolen smartphone. Backups or synchronization of data with the cloud should be enabled by developers, mandated by business policy, and consciously pursued by users.

Threats to mobile network security

One of the interesting features of smartphones is the number of ways in which users can access them. In addition to access through a cellular network, most are also accessible via Wi-Fi and Bluetooth, and some are accessible by infrared and radio-frequency identification (RFID). The cellular network (3G or 4G) enables access to phone services, of course, and Internet services as well as Short Messaging Service (SMS) communications. The other interfaces (Wi-Fi, Bluetooth, infrared, and RFID) are used primarily for data exchange. From a security perspective, all interfaces have the potential to expose sensitive information and possibly receive malicious data. This potentially makes them vulnerable in a variety of ways, as described in Table 1.

Table 1. Mobile network security vulnerabilities based on type of access
Type of accessVulnerability
BluetoothBluetooth is a popular wireless personal area network (WPAN) for short-range transmission of digital voice and data that is most often used by smartphones to connect external devices, such as a headset. This technology is susceptible to hacking in a manner similar to SMS but because of its short range may not be attractive to criminal hackers.
CellularA smartphone uses one or more mobile phone technologies to connect to a cellular network to exchange voice and data. The data connection is always on. Multiple radio frequency (RF) bands and technologies may be supported to facilitate a wider range of roaming across networks. This opens the potential for forcing a smartphone to register with a malicious cell site using a less secure protocol.
InfraredAn infrared red interface is used primarily for data exchange but can also be used to control some devices, such as TVs. Infrared requires close proximity and line of sight to work. An infrared interface offers the potential to transmit sensitive data and to receive data that could potentially be damaging in some way. Data can be damaging if it contains executable software that can cause the receiving device to misbehave or fail.
RFIDRFID is used to transmit a radio signal containing information to identify an item. It is used primarily to tag inventory. Now that mobile devices are beginning to incorporate active RFID devices, a device will be able to transmit its location or condition. One obvious security implication is that this technology will enable intruder detection, in the event an unauthorized RFID signal is detected. Conversely, when a particular identifier is detected, a targeted attack could conceivably be launched.
SMSSMS evolved from an earlier protocol for sending short messages to radio memo pagers. SMS is used to exchange messages between fixed land line and mobile phone devices. Demonstrations have shown this service to be susceptible to attacks that can deny service or perhaps even insert malware into the smartphone. Such an attack could conceivably be used to obtain unique identifying information stored on the device.

SMS is sometimes used in two-factor authentication where, for example, a login to a particular site requires responding with a one-time password sent via an SMS message. As vulnerability increases for SMS messaging, developers are advised to use a different messaging band for two-factor authentication.
Wi-FiWi-Fi is a wireless local area network (WLAN) technology commonly used to establish connection to the Internet via a device with a wired Ethernet interface. Closed Wi-Fi connections are noted for their weak protocol encryption scheme. All Wi-Fi hotspots are also susceptible to “man in the middle” attacks where a hacker intercepts communications between a user and a Wi-Fi device.

The threat of malware

Malware has long been a threat to desktop and personal computers. Smartphones, being sophisticated and fully featured computers, are receiving the growing attention of malware creators.

The mobile cloud offers one solution to this threat that is not available to smartphones in general. Authorized software can be stored in and distributed from the cloud. When malware is detected or suspected, the smartphone software can be restored from trusted backups in the cloud.


Securing the mobile cloud

Generally, developers don't expect the mobile cloud to be free from security threats any more than they expect that of any other information technology (IT) model used to support business. Instead, developers perceive security in terms such as risk reduction, mitigation, and deterrence.

Traditionally, developers think of IT security in terms of perimeter defense. That means they keep their computational assets within a confined space that is physically and electronically defended.

Mobile cloud computing makes the situation even worse, from a security viewpoint, because relevant mobile devices (smartphones and tablets) interact with the external world more intimately and through a wider array of technologies.

Two emerging security models offer reasonable approaches to securing the mobile cloud:

  • Data Centric Security Model
  • Data Loss Prevention

Each model can be implemented independent of the other, but together they complement each other nicely to help secure data at rest and data in transit throughout a network.

Data Centric Security Model

The Data Centric Security Model (DCSM) offers an approach to protecting data by associating it with one of a variety of levels and then enacting access control to each level. The data levels or categories can be set up arbitrarily, but typically they group data according to the level of damage that would occur if the data is accessed by someone with malicious intent.

Most businesses use data that can be differentially categorized. For example, one company database might include customer data (Social Security Number, credit card data), corporate data (mergers and acquisitions, financials), and intellectual property (source code, pricing).

Categorizing data is often a function of business requirements and regulations. The US Health Insurance Portability and Accountability Act (HIPAA) security regulation is one example of government-mandated data security. After categories are established, access control rules can be written and enforced.

In this case, the mobile cloud conceivably can enhance enforcement of access control rules. For example, a user's access to a particular category of data might require that the user's mobile device report its geolocation as somewhere in the United States, otherwise access is denied.

Data Loss Prevention

Data Loss Prevention (DLP) is a methodology that attempts not only to deter data loss but also to detect data that is at risk of being lost or misused. DLP approaches deal with data in motion, data at rest, and data in use, which are described in Table 2.

Table 2. DLP data types
Data typeDescription
Data in motionRefers to monitoring of traffic on the network to identify content being sent across specific communications channels for the purpose of determining the suitability of that channel for the data. A mismatch between data and channel could indicate a potential security threat.
Data at restInvolves scanning storage and other content repositories to identify where sensitive content is located. If the container isn't authorized for that data, then corrective action is indicated.
Data in useMeans monitoring data as users interact with it. If a user attempts to transfer sensitive data to an unauthorized device, the user can be alerted, or the action can be blocked.

This emerging technology of DLP affords a good opportunity for developers and researchers. Good threat signature identification will be an ongoing problem as new types of threats emerge. Threat detection rules and security policy enforcement are needed. Also, implementation is a fertile area for growth. For example, DLP-bots — small applications that run on smartphones and tablets — might be one vehicle for deploying DLP in the mobile cloud.


Future of mobile cloud security

Mobile cloud computing is an emerging market driven by the popularity and increasing proliferation of smartphones and tablet computers. As more mobile devices enter the market and evolve, certainly security issues will grow as well. There are many trends that might influence the growth of the market.

One possible trend is incorporation of hypervisors into smartphones. A hypervisor is a program that allows multiple operating systems to share a single computer. Popular examples of hypervisors include Xen from Xen.org. This development is intended to simplify smartphone management problems. It also has potential to simplify security management.

Another trend is the growth of what is known as the Internet of Things. The growth in intelligent devices that are able to interact with the Internet is growing at a much greater rate than traditional computer technology. Some estimates are that over one trillion devices will be connected to the Internet in a few years, and most of those will be standalone devices. Smart meters being installed by utility companies are one example. The growth in the variety of mobile devices that can interact with the cloud will undoubtedly bring new security concerns as well.


In conclusion

Mobile cloud computing is poised to become a huge market. That huge market will attract the attention of criminals who want to make an easy profit by finding and exploiting weaknesses in mobile cloud technology. Also, enormous growth in the variety of devices connected to the Internet will further drive security needs. This article presented some of the issues that are pertinent for planning how to provide security for the mobile cloud.

Resources

Learn

Get products and technologies

Discuss

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Cloud computing on developerWorks


  • Bluemix Developers Community

    Get samples, articles, product docs, and community resources to help build, deploy, and manage your cloud apps.

  • developerWorks Labs

    Experiment with new directions in software development.

  • DevOps Services

    Software development in the cloud. Register today to create a project.

  • Try SoftLayer Cloud

    Deploy public cloud instances in as few as 5 minutes. Try the SoftLayer public cloud instance for one month.

static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Cloud computing
ArticleID=678034
ArticleTitle=Build a more secure, mobile cloud environment
publish-date=06242011