Security considerations related to the use of mobile devices in the operation of critical infrastructures

An increasing number of attacks by mobile malware have begun to target critical infrastructure assets. Since malware attempts to defeat the security mechanisms provided by an operating system, it is of paramount importance to understand the strengths and weaknesses of the security frameworks of mobile device operating systems such as Android. Many recently discovered vulnerabilities suggest that security issues may be hidden in the cross-layer interplay between the Android layers and the underlying Linux kernel. This paper presents an empirical security evaluation of the interactions between Android layers. The experiments indicate that the Android Security Framework does not discriminate between callers of invocations to the Linux kernel, thereby enabling Android applications to directly interact with the kernel. This paper shows how this trait allows malware to adversely affect the security of mobile devices by exploiting previously unknown vulnerabilities unveiled by analyses of the Android interplay. The impact of the resulting attacks on critical infrastructures is discussed. Finally, an enhancement to the Android Security Framework is proposed for detecting and preventing direct kernel invocations by applications, thereby dramatically reducing the impact of malware.

[1]  Wenting Li,et al.  Towards a User-Friendly Security-Enhancing BYOD Solution , 2013 .

[2]  Simin Nadjm-Tehrani,et al.  Crowdroid: behavior-based malware detection system for Android , 2011, SPSM '11.

[3]  J. Foster,et al.  SCanDroid: Automated Security Certification of Android , 2009 .

[4]  Apu Kapadia,et al.  Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones , 2011, NDSS.

[5]  Philip Wadler,et al.  Featherweight Java: a minimal core calculus for Java and GJ , 2001, TOPL.

[6]  Joms Antony,et al.  Ubiquitous patient monitoring and smart alert generation in an intensive care unit supported by low cost Tablet PC based automation system powered through open source software and hardware platforms , 2013, 2013 IEEE Global Humanitarian Technology Conference: South Asia Satellite (GHTC-SAS).

[7]  Alessandro Armando,et al.  Breaking and fixing the Android Launching Flow , 2013, Comput. Secur..

[8]  Heng Yin,et al.  Attacks on WebView in the Android system , 2011, ACSAC '11.

[9]  Hirozumi Yamaguchi,et al.  CLIPS: Infrastructure-free collaborative indoor positioning scheme for time-critical team operations , 2013, PerCom.

[10]  Gordon Thomson BYOD: enabling the chaos , 2012, Netw. Secur..

[11]  Ahmad-Reza Sadeghi,et al.  Privilege Escalation Attacks on Android , 2010, ISC.

[12]  Yajin Zhou,et al.  Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets , 2012, NDSS.

[13]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[14]  Flora Malamateniou,et al.  An Android-Enabled Mobile Framework for Ubiquitous Access to Cloud Emergency Medical Services , 2012, 2012 Second Symposium on Network Cloud Computing and Applications.

[15]  Yang Ishigaki,et al.  Development of Mobile Radiation Monitoring System Utilizing Smartphone and Its Field Tests in Fukushima , 2013, IEEE Sensors Journal.

[16]  Avik Chaudhuri,et al.  Language-based security on Android , 2009, PLAS '09.

[17]  Dimitris Gritzalis,et al.  Smartphone security evaluation The malware attack case , 2011, Proceedings of the International Conference on Security and Cryptography.

[18]  Alessandro Armando,et al.  Bring your own device, securely , 2013, SAC '13.

[19]  Sahin Albayrak,et al.  An Android Application Sandbox system for suspicious software detection , 2010, 2010 5th International Conference on Malicious and Unwanted Software.

[20]  Yuval Elovici,et al.  Google Android: A Comprehensive Security Assessment , 2010, IEEE Security & Privacy.

[21]  Alessandro Armando,et al.  Formal Modeling and Reasoning about the Android Security Framework , 2012, TGC.

[22]  Sahin Albayrak,et al.  Static Analysis of Executables for Collaborative Malware Detection on Android , 2009, 2009 IEEE International Conference on Communications.

[23]  Wenke Lee,et al.  Jekyll on iOS: When Benign Apps Become Evil , 2013, USENIX Security Symposium.

[24]  Stephen Chong,et al.  Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security , 2009, PLDI 2009.

[25]  Alessandro Armando,et al.  Would You Mind Forking This Process? A Denial of Service Attack on Android (and Some Countermeasures) , 2012, SEC.

[26]  Patrick D. McDaniel,et al.  Understanding Android Security , 2009, IEEE Security & Privacy Magazine.

[27]  John B. Haviland Hey! , 2015, Top. Cogn. Sci..