Mobile Application Security Research Articles

Security model on mobile banking application: attack simulation and countermeasures

Nowadays, we use mobile devices in all activities such as communication, play, surf on the internet, shop online and banking transactions. But the applications used do not always comply with the security requirements on mobile environment and this can cause vulnerabilities allowing attackers to take control of the phone and to steal some users' private data. That is why, it is important to take a look at the security of mobile applications especially of financial institutions. In this paper, we will present some security issues of android applications. We will also make a reverse engineering of an Android banking application, then a static analysis of its code to detect its weaknesses. After that, we will insert a malicious code that will help us not only to take control of the smartphone but also to make a DDOS attack on a simulated bank server. Finally, we will propose some countermeasures.

Efficient and Anonymous Mobile User Authentication Protocol Using Self-Certified Public Key Cryptography for Multi-Server Architectures

Rapid advances in wireless communication technologies have paved the way for a wide range of mobile devices to become increasingly ubiquitous and popular. Mobile devices enable anytime, anywhere access to the Internet. The fast growth of many types of mobile services used by various users has made the traditional single-server architecture inefficient in terms of its functional requirements. To ensure the availability of various mobile services, there is a need to deploy multi-server architectures. To ensure the security of various mobile service applications, the anonymous mobile user authentication (AMUA) protocol without online registration using the self-certified public key cryptography (SCPKC) for multi-server architectures was proposed in the past. However, most of the past AMUA solutions suffer from malicious attacks or have unacceptable computation and communication costs. To address these drawbacks, we propose a new AMUA protocol that uses the SCPKC for multi-server architectures. In contrast to the existing AMUA protocols, our proposed AMUA protocol incurs lower computation and communication costs. By comparing with two of the latest AMUA protocols, the computation and the communication costs of our protocol are at least 74.93% and 37.43% lower than them, respectively. Moreover, the security analysis of our AMUA protocol demonstrates that it satisfies the security requirements in practical applications and is provably secure in the novel security model. By maintaining security at various levels, our AMUA protocol is more practical for various mobile applications.

OpenCL을 이용한 GPGPU 기반 지문개선 알고리즘 가속화

Recently the fingerprint is widely used as one of biometrics to improve the security of financial mobile applications, because of its user convenience and high recognition rate. However, in order to apply fingerprint algorithms to finance and security applications, the recognition rate and processing speed of the fingerprint algorithms have to be improved further. In this paper, we propose the parallel fingerprint enhancement algorithm on general-purpose computing on graphics processing unit (GPGPU) using OpenCL. We discuss the analysis of the parallelism in the fingerprint algorithm as well as the exploration of optimization parameters of the parallel fingerprint algorithm to improve the performance. The experimental results showed that the execution of parallel fingerprint enhancement algorithm on GPGPUs was accelerated from 29.4 upto 69.2 times compared with the execution of the original one on the host CPUs.

Design of a Work Process and Implementation of a Prototype for the Development of an Automation Tool for Android Application Vulnerability Inspection

As a variety of services are provided through mobile devices, there have been increasing security threats to mobile platforms and applications. Many mobile application security check methodologies are proposed to deal with such threats, but it is not clear exactly how the security vulnerabilities are inspected, and there is no correct methodology for such. One way to increase the execution rate of vulnerability check is to develop an automation tool that simplifies the process. Therefore, in this study, a work process of Android application vulnerability inspection was designed and a prototype of the automation tool for vulnerability inspection was implemented. Furthermore, the effectiveness of the implemented prototype was assessed through an actual application using the prototype.

Users’ perceptions about mobile security breaches

Apart from the technological perspective of security in mobile devices and applications, the economic perspective has been increasingly attracting the academic and business interest. This paper aims to investigate the perceptions of mobile users about the economic importance of security breaches. Instead of considering mobile users as a whole, they were examined as distinct user types based on Brandtzaeg's mobile user typology. These types are: (1) sporadic users, (2) socializers, (3) entertainment type users, (4) instrumental users, and (5) advanced users. In the context of the research part of this study, a survey was conducted in a sample of smartphone and tablet owners. The five user types were identified in our sample by setting specific classification rules, based on the frequency and the variety of mobile services used. Mobile users' perceptions were assessed in terms of ten different kinds of security breaches. The findings indicated that the user types perceive differently the economic importance of security breaches, implying that the design of security policies and/or the development of tools totally for the community of users are not the appropriate practices. Our research could contribute to the knowledge considering mobile users and their perceptions about security breaches. Mobile content providers and developers could use the findings of this study to evaluate and redesign, if needed, their current strategies so as to meet users' needs regarding security.

Mobile application security: malware threats and defenses

Due to the quantum leap in functionality, the rate of upgrading traditional mobile phones to smartphones is tremendous. One of the most attractive features of smartphones is the availability of a large number of apps for users to download and install. However, it also means hackers can easily distribute malware to smartphones, launching various attacks. This issue should be addressed by both preventive approaches and effective detection techniques. This article first discusses why smartphones are vulnerable to security attacks. Then it presents malicious behavior and threats of malware. Next, it reviews the existing malware prevention and detection techniques. Besides more research in these directions, it points out efforts from app developers, app store administrators, and users, who are also required to defend against such malware.

모바일 어플리케이션 개발에서의 보안성 향상을 위한 보안 점검항목 개선에 관한 연구

Abstract The use of mobile devices offers a variety of services to the individuals and companies. On the other hand, security threats and new mobile security threats that exist in IT infrastructure to build the environment for mobile services are present at the same time. Services such as mobile and vaccine management services, such as MDM (Mobile Device Management) has attracted a great deal of interest in order to minimize the threat of security in mobile environment. These solutions can not protect an application that was developed for the mobile service from the threat of vulnerability of mobile application itself. Under these circumstances, in this paper, we proposed mobile application security checklists based on application security review items in order to prevent security accidents that can occur in a mobile service environment. We collected and analyzed Android applications, we performed a total inspection of the applications for verification of the effectiveness of the check items. And we checked that the check items through a survey of experts suitability was verified.

Formal modeling and automatic enforcement of Bring Your Own Device policies

The emerging Bring Your Own Device (BYOD) paradigm is pushing the adoption of employees' personal mobile devices (e.g., smartphones and tablets) inside organizations for professional usage. However, allowing private, general purpose devices to interact with proprietary, possibly critical infrastructures enables obvious threats. Unfortunately, current mobile OSes do not seem to provide adequate security support for dealing with them. In this paper, we present a formal modeling and assessment of the security of mobile applications. In particular, we propose a security framework for verifying and enforcing BYOD security policies on Android devices. Interestingly, our approach is non-invasive and only requires minor platform modifications at application level. Finally, we provide empirical evidence of the practical feasibility of the approach by means of a prototype which we used to validate a set of real Android applications.

Design of Mobile Police Store System Based on the Technology of Information Security

In order to enrich the mobile police application and enhancing mobile police application security,analysis of current situation and requirement of the mobile police application,to put forward a kind of police mobile application store system based on information safety technology.Specific depicts system overall design,background design,front design,the use of information security technology,and the test results of the system are described.The design and development of the police mobile application warehouse system,have certain reference siginficance.

NFC in the K-Project Secure Contactless Sphere—smart RFID technologies for a connected world

Representatives from the entire RFID supply chain have come together to form a consortium to work on the K-Project Secure Contactless Sphere (SeCoS). The aims of the project are to develop a Web of Things platform with built-in NFC support which places the highest demands on security and protection of privacy. Research will be carried out in three important thematic fields to enable secure mobile NFC applications. The first research activity focuses on defining the service architecture and implementing the core components of the Web of Things application platform, which is built on a message driven paradigm. The second research activity develops and assesses security and privacy policy enhancing technologies for NFC devices. The third research activity aims at achieving higher data rates with NFC systems through innovative design solutions. Finally, the project shows the research results in concrete demonstrators.

A standard for developing secure mobile applications

The abundance of mobile software applications (apps) has created a security challenge. These apps are widely available across all platforms for little to no cost and are often created by small companies and less-experienced programmers. The lack of development standards and best practices exposes the mobile device to potential attacks. This article explores not only the practices that should be adopted by developers of all apps, but also those practices the enterprise user should demand of any app that resides on a mobile device that is employed for both business and private uses.

Game theory meets network security and privacy

This survey provides a structured and comprehensive overview of research on security and privacy in computer and communication networks that use game-theoretic approaches. We present a selected set of works to highlight the application of game theory in addressing different forms of security and privacy problems in computer networks and mobile applications. We organize the presented works in six main categories: security of the physical and MAC layers, security of self-organizing networks, intrusion detection systems, anonymity and privacy, economics of network security, and cryptography. In each category, we identify security problems, players, and game models. We summarize the main results of selected works, such as equilibrium analysis and security mechanism designs. In addition, we provide a discussion on the advantages, drawbacks, and future direction of using game theory in this field. In this survey, our goal is to instill in the reader an enhanced understanding of different research approaches in applying game-theoretic methods to network security. This survey can also help researchers from various fields develop game-theoretic solutions to current and emerging security problems in computer networking.

Hybrid Attribute- and Re-Encryption-Based Key Management for Secure and Scalable Mobile Applications in Clouds

Outsourcing data to the cloud are beneficial for reasons of economy, scalability, and accessibility, but significant technical challenges remain. Sensitive data stored in the cloud must be protected from being read in the clear by a cloud provider that is honest-but-curious. Additionally, cloud-based data are increasingly being accessed by resource-constrained mobile devices for which the processing and communication cost must be minimized. Novel modifications to attribute-based encryption are proposed to allow authorized users access to cloud data based on the satisfaction of required attributes such that the higher computational load from cryptographic operations is assigned to the cloud provider and the total communication cost is lowered for the mobile user. Furthermore, data re-encryption may be optionally performed by the cloud provider to reduce the expense of user revocation in a mobile user environment while preserving the privacy of user data stored in the cloud. The proposed protocol has been realized on commercially popular mobile and cloud platforms to demonstrate real-world benchmarks that show the efficacy of the scheme. A simulation calibrated with the benchmark results shows the scalability potential of the scheme in the context of a realistic workload in a mobile cloud computing system.

Addressing Security and Privacy Risks in Mobile Applications

Applications for mobile platforms are being developed at a tremendous rate, but often without proper security implementation. Insecure mobile applications can cause serious information security and data privacy issues and can have severe repercussions on users and organizations alike.

Integration of Biometric authentication procedure in customer oriented payment system in trusted mobile devices

Mobile payments have become an important application in daily activities. The unique advantage of mobile payments over traditional payments has led to tremendous growth of mobile phones. The strong demand of mobile applications raised increased concern on the security of mobile applications as well as devices. New mobile devices are developed to serve various functions like storing sensitive information, accessing this information as well transacting this information through payment systems. In order to protect this information and mobile devices, a well defined authentication system is mandatory. Biometric authentication is much more safe and secure and very easy to use. In this paper we propose a multi modal biometric authentication procedure with respect to payment systems and integrate this model with our previous work. The aim of this paper is to integrate the proposed payment model with multi server authentication model for the purpose of maintaining security and accessing different servers (websites). The system providing resources to be accessed over the network often consists of many different servers through out the world. The distribution of the remote system hardware in different places makes the user access the resources more efficiently and conveniently.

모바일 애플리케이션을 위한 취약점 분석기의 설계 및 구현

최근 모바일 애플리케이션의 보급과 사용은 급속도로 확장되고 있으며, 이 과정에서 모바일 애플리케이션의 보안이 새로운 문제로 대두되고 있다. 일반적인 소프트웨어의 안전성은 시큐어 코딩을 통해 개발 단계에서 부터 검증까지 체계적으로 이루어지고 있으나 모바일 애플리케이션의 경우는 아직 연구가 미흡한 실정이다. 본 논문에서는 모바일 애플리케이션에 특화된 취약점 항목을 도출하고 이를 기반으로 취약점을 분석할 수 있는 취약점 분석기를 설계하고 구현한다. 취약점 목록은 CWE(Common Weakness Enumeration)와 CERT (Computer Emergency Response Team)를 기반으로 모바일 애플리케이션의 특징인 이벤트 구동방식을 한정하여 도출하였으며, 분석 도구는 동적 테스트를 통하여 애플리케이션 소스 내에 취약점이 존재하는지 검사한다. 또한 도출된 취약점 목록은 모바일 애플리케이션을 작성하는 프로그래머의 지침서로 활용 될 수 있다. The dissemination and use of mobile applications have been rapidly expanding these days. And in such a situation, the security of mobile applications has emerged as a new issue. Although the safety of general software such as desktop and enterprise software is systematically achieved from the development phase to the verification phase through secure coding, there have been not sufficient studies on the safety of mobile applications yet. This paper deals with deriving weakness enumeration specialized in mobile applications and implementing a tool that can automatically analyze the derived weakness. Deriving the weakness enumeration can be achieved based on CWE(Common Weakness Enumeration) and CERT(Computer Emergency Response Team) relating to the event-driven method that is generally used in developing mobile applications. The analysis tool uses the dynamic tests to check whether there are specified vulnerabilities in the source code of mobile applications. Moreover, the derived vulnerability could be used as a guidebook for programmers to develop mobile applications.

Security and communication networks (SCN) special issue on “security for mobile internet applications”

Security and communication networks (SCN) special issue on “security for mobile internet applications”

A user-centric and federated Single-Sign-On IAM system for SOA e/m-frameworks

Nowadays, the need for more user-centric privacy-aware transactions raises specific challenges that Service Oriented Architectures (SOA) need to address, including the problems of managing users' personal identification information and ensuring privacy and anonymity in the e/m-environment. This paper presents a targeted, user-centric and federated Single-Sign-On Identity Management System (IAM) called SecIdAM, and a mobile implementation framework for building privacy-aware, interoperable and secure mobile applications with respect to the way that the trust relationship among the involved entities, users and SOAs is established. Moreover, it analyses a user-transparent m-process, simulating the registration, negotiation of policies and identification information preferences, and user's authorisation sessions, as integrated in the IST European programme SWEB for the public sector.

Promoting the development of secure mobile agent applications

In this paper, we present a software architecture and a development environment for the implementation of applications based on secure mobile agents. Recent breakthroughs in mobile agent security have unblocked this technology, but there is still one important issue to overcome: the complexity of programming applications using these security solutions. Our proposal aims to facilitate and speed up the process of implementing cryptographic protocols, and to allow the reuse of these protocols for the development of secure mobile agents. As a result, the proposed architecture and development environment promote the use of mobile agent technology for the implementation of secure distributed applications.

Random security scheme selection for mobile transactions

AbstractSecurity in a mobile communication environment is always a matter for concern, even after deploying many security techniques at device, network, and application levels. The end‐to‐end security for mobile applications can be made robust by developing dynamic schemes at application level which makes use of the existing security techniques varying in terms of space, time, and attacks complexities. In this paper we present a security techniques selection scheme for mobile transactions, called the Transactions‐Based Security Scheme (TBSS). The TBSS uses intelligence to study, and analyzes the security implications of transactions under execution based on certain criterion such as user behaviors, transaction sensitivity levels, and credibility factors computed over the previous transactions by the users, network vulnerability, and device characteristics. The TBSS identifies a suitable level of security techniques from the repository, which consists of symmetric, and asymmetric types of security algorithms arranged in three complexity levels, covering various encryption/decryption techniques, digital signature schemes, and hashing techniques. From this identified level, one of the techniques is deployed randomly. The results shows that, there is a considerable reduction in security cost compared to static schemes, which employ pre‐fixed security techniques to secure the transactions data. Copyright © 2008 John Wiley & Sons, Ltd.