A Survey on Security for Mobile Devices

Nowadays, mobile devices are an important part of our everyday lives since they enable us to access a large variety of ubiquitous services. In recent years, the availability of these ubiquitous and mobile services has signicantly increased due to the dierent form of connectivity provided by mobile devices, such as GSM, GPRS, Bluetooth and Wi-Fi. In the same trend, the number and typologies of vulnerabilities exploiting these services and communication channels have increased as well. Therefore, smartphones may now represent an ideal target for malware writers. As the number of vulnerabilities and, hence, of attacks increase, there has been a corresponding rise of security solutions proposed by researchers. Due to the fact that this research eld is immature and still unexplored in depth, with this paper we aim to provide a structured and comprehensive overview of the research on security solutions for mobile devices. This paper surveys the state of the art on threats, vulnerabilities and security solutions over the period 2004-2011. We focus on high-level attacks, such those to user applications, through SMS/MMS, denial-of-service, overcharging and privacy. We group existing approaches aimed at protecting mobile devices against these classes of attacks into dierent categories, based upon the detection principles, architectures, collected data and operating systems, especially focusing on IDS-based models and tools. With this categorization we aim to provide an easy and concise view of the underlying model adopted by each approach

Computational Resource Abuse in Web Applications

Internet browsers include Application Programming Interfaces (APIs) to support Web applications that require complex functionality, e.g., to let end users watch videos, make phone calls, and play video games. Meanwhile, many Web applications employ the browser APIs to rely on the user's hardware to execute intensive computation, access the Graphics Processing Unit (GPU), use persistent storage, and establish network connections. However, providing access to the system's computational resources, i.e., processing, storage, and networking, through the browser creates an opportunity for attackers to abuse resources. Principally, the problem occurs when an attacker compromises a Web site and includes malicious code to abuse its visitor's computational resources. For example, an attacker can abuse the user's system networking capabilities to perform a Denial of Service (DoS) attack against third parties. What is more, computational resource abuse has not received widespread attention from the Web security community because most of the current specifications are focused on content and session properties such as isolation, confidentiality, and integrity. Our primary goal is to study computational resource abuse and to advance the state of the art by providing a general attacker model, multiple case studies, a thorough analysis of available security mechanisms, and a new detection mechanism. To this end, we implemented and evaluated three scenarios where attackers use multiple browser APIs to abuse networking, local storage, and computation. Further, depending on the scenario, an attacker can use browsers to perform Denial of Service against third-party Web sites, create a network of browsers to store and distribute arbitrary data, or use browsers to establish anonymous connections similarly to The Onion Router (Tor). Our analysis also includes a real-life resource abuse case found in the wild, i.e., CryptoJacking, where thousands of Web sites forced their visitors to perform crypto-currency mining without their consent. In the general case, attacks presented in this thesis share the attacker model and two key characteristics: 1) the browser's end user remains oblivious to the attack, and 2) an attacker has to invest little resources in comparison to the resources he obtains. In addition to the attack's analysis, we present how existing, and upcoming, security enforcement mechanisms from Web security can hinder an attacker and their drawbacks. Moreover, we propose a novel detection approach based on browser API usage patterns. Finally, we evaluate the accuracy of our detection model, after training it with the real-life crypto-mining scenario, through a large scale analysis of the most popular Web sites

Communications multi-niveaux sécurisées dans une flotte de terminaux mobiles

Les matériels mobiles actuels, et les téléphones mobiles en particulier, sont équipés de différentes technologies sans fil qui augmentent et diversifient leurs capacités de communication. L utilisation combinée et efficace de ces technologies offre des possibilités variées et accrues en termes de services et d applications. Néanmoins elle requiert la réalisation d analyses fines en matières de sécurité et de choix du mode de communication à utiliser en fonction de critères dépendant du contexte : coût énergétique, coût financier, préférences des entités impliquées, préservation de la vie privée, etc. Cette problématique est apparue comme une question clé au sein du projet Smart Urban Spaces dans le cadre duquel s inscrit cette thèse. Notre contribution à ce projet est la création d applications collaboratives qui utilisent de façon appropriée la gamme des technologies sans fil disponibles sur les matériels considérés. En d autres termes, on cherche à utiliser les moyens de transmission les plus appropriés (au sens des critères indiqués plus haut) que deux ou plusieurs équipements mobiles peuvent utiliser pour réaliser leurs échanges, qui plus est, sans que cela ne nécessite de connaître leurs positions respectives. La transparence de la localisation des cibles devient ainsi une règle. On peut synthétiser la question centrale que nous avons choisie d étudier de la manière suivante : comment faire communiquer un ensemble de terminaux mobiles (des téléphones portables en particulier) de façon sécurisée en utilisant la technologie la plus adaptée en fonction du contexte ? Notre objectif est de proposer une réponse à cette question en définissant une plate-forme multi-niveaux prenant en compte les différentes technologies disponibles sur les équipements considérés. Il s agit en particulier d identifier l ensemble des éléments à prendre en compte dans la conception de la plate-forme, de les modéliser, de développer des applications de référence et de valider la pertinence des solutions proposées par des tests, ainsi que des évaluations qualitatives et quantitatives.Current mobile devices, and mobile phones in particular, are equipped with different wireless technologies that increase and diversify their communication capabilities.The combined and effective use of these technologies offers various opportunities in terms of services and applications. However, it requires detailed analysis in terms of security and choice of the communication mean to use according to context-dependent criteria : energy costs, financial costs, preferences of the involved entities, privacy issues, etc. This problem has emerged as a key issue in the Smart Urban Spaces project in which this thesis was carried out. Our contribution to this project is the creation of collaborative applications adequately using the available wireless technologies on the considered equipments. In other words, we try to use the most appropriate communication mean (according to the criteria listed above) that two or more mobile devices can use to perform exchanges (without considering their respective positions). Then, the transparency of targets localization becomes a rule.We can synthesize the central question that we have chosen to study in the following manner : how to allow a set of mobile terminals (mobile phones in particular) to securely communicate using the most appropriate technology depending on the context ? Our goal is to answer this question by defining a multilevel platform taking into account the different technologies available on the considered equipments. It is necessaty to identify the elements to consider in the design of the platform, to model them, to develop reference applications and to validate the relevance of the proposed solutions with qualitative and quantitative evaluations.BORDEAUX1-Bib.electronique (335229901) / SudocSudocFranceF

A User Centric Security Model for Tamper-Resistant Devices

In this thesis we propose a design for a ubiquitous and interoperable device based on the smart card architecture to meet the challenges of privacy, trust, and security for traditional and emerging technologies like personal computers, smart phones and tablets. Such a de- vice is referred a User Centric Tamper-Resistant Device (UCTD). To support the smart card architecture for the UCTD initiative, we propose the delegation of smart card owner- ship from a centralised authority (i.e. the card issuer) to users. This delegation mandated a review of existing smart card mechanisms and their proposals for modifications/improve- ments to their operation. Since the inception of smart card technology, the dominant ownership model in the smart card industry has been refer to as the Issuer Centric Smart Card Ownership Model (ICOM). The ICOM has no doubt played a pivotal role in the proliferation of the technology into various segments of modern life. However, it has been a barrier to the convergence of different services on a smart card. In addition, it might be considered as a hurdle to the adaption of smart card technology into a general-purpose security device. To avoid these issues, we propose citizen ownership of smart cards, referred as the User Centric Smart Card Ownership Model (UCOM). Contrary to the ICOM, it gives the power of decision to install or delete an application on a smart card to its user. The ownership of corresponding applications remains with their respective application providers along with the choice to lease their application to a card or not. In addition, based on the UCOM framework, we also proposed the Coopetitive Architecture for Smart Cards (CASC) that merges the centralised control of card issuers with the provision of application choice to the card user. In the core of the thesis, we analyse the suitability of the existing smart card architectures for the UCOM. This leads to the proposal of three major contributions spanning the smart card architecture, the application management framework, and the execution environment. Furthermore, we propose protocols for the application installation mechanism and the application sharing mechanism (i.e. smart card firewall). In addition to this, we propose a framework for backing-up, migrating, and restoring the smart card contents. Finally, we provide the test implementation results of the proposed protocols along with their performance measures. The protocols are then compared in terms of features and performance with existing smart cards and internet protocols. In order to provide a more detailed analysis of proposed protocols and for the sake of completeness, we performed mechanical formal analysis using the CasperFDR.EThOS - Electronic Theses Online ServiceGBUnited Kingdo