CHALLENGES IN MOBILE SECURITY

PANG Jian Hao Jeffrey, CHUA Chee Leong, CHAN Guan Huat, LIM Seh Leng

ABSTRACT
In recent years, mobile devices have been used increasingly in organisations to improve productivity with the Ministry of
Defence looking to leverage this trend to enhance its operational efficiency. However, the use of mobile devices also opens
up new areas of vulnerability for potential adversaries to target.

This article shares the security challenges that arise from the use of mobile technology and how DSTA is adopting a systematic
approach in overcoming and securing the mobile cyber space. The article further discusses some design considerations for
mobile solutions and shares emerging technologies in mobile malware analysis and detection.

Keywords: mobile, security, threats, malware

INTRODUCTION MOBILE THREATS AND CHALLENGES

The widespread use of mobile devices, such as smartphones Mobile threats can largely be divided into several categories
and tablets, brings users much convenience and ease of use such as physical, network-based, system-based and
by allowing them to be connected to the Internet anytime and application-based threats.
anywhere. The Ministry of Defence (MINDEF) has also adopted
mobile devices in various areas such as email processing on- Physical Threats
the-go and enabling soldiers to access e-learning materials on
their own time in order to enhance productivity One challenge faced in mobile security is the loss or theft of
a mobile device. Compared to desktop computers, mobile
However, with the diversity of mobile devices and the variety of devices are highly portable and lightweight. Hence, there is a
security threats that can affect them, there is no one-size-fits- greater likelihood of them getting lost or stolen.
all solution to mobile security. Organisations should hence take
a holistic approach to securing enterprise mobility to support Gaining physical access to a device would allow an attacker to
business needs, including security policies formulation, device perform malicious actions such as flashing it with a malicious
and configuration management for multiple devices and user system image that is connected to a computer to install
education on mobile security. malicious software or conduct data extraction. Hence, it is
important not to leave devices unattended. In addition, device
This article reviews the challenges in achieving mobile security authentication and encryption need to be enforced to protect
and presents DSTA’s approach in securing the mobile cyber mobile devices against unauthorised access.
space. The article further presents some emerging methods
for predictive malware detection to migitate application-based Network-based Threats
attacks.
Mobile devices use common wireless network interfaces
such as Wi-Fi and Bluetooth for connectivity. Each of these
interfaces has its own inherent vulnerabilities and is susceptible

32 DSTA HORIZONS | 2016

to wireless eavedropping attempts using readily available tools Malicious applications, also known as malware, can perform
like Wifite or Aircrack-ng Suite. Users should thus only connect malicious operations when installed on a device such as
to trusted networks using WPA21 or better network security stealing data, downloading other malware, sending premium
protocols. rate messages or even remotely controlling a device (see Figure
1). These actions can result in financial losses and other forms
System-based Threats of tangible or intangible losses to an individual or organisation.
Hence, it is important to detect and prevent malware from
Manufacturers can sometimes introduce vulnerabilities into infecting mobile devices.
their devices unintentionally. For instance, the SwiftKey
keyboard in Samsung Android devices was found to be Attackers usually use social engineering techniques to trick
vulnerable to eavesdropping attempts. Security updates users into installing these malicious applications. It can be
were subsequently released to fix the issue (SwiftKey, 2015). in the form of a link in a message, a shortened hyperlink or
Similarly, there exist critical vulnerabilities in Apple devices’ a repackaged application that masquerades as a legitimate
iPhone Operating System (iOS). One example is the “No iOS application. It is therefore essential that controls be enforced
Zone” vulnerability that automatically connects any iOS devices on the download and installation of applications.
within range to a fabricated network and repeatedly crashes
the device to deny its use (Amit, 2015). This vulnerability was Most anti-virus vendors offer mobile versions of their desktop
eventually fixed in a later version of the iOS. These incidences anti-virus software. The core technique used in these mobile
highlight the need to perform timely updates of mobile devices solutions is based on the traditional signature-based detection
to mitigate system issues. techniques. By analysing known malware samples and
developing specific signatures for detection, this approach
Application-based Threats helps detect known malicious applications. Although signature-
based approach can be effective in containing known malware,
Similar to system vulnerabilities, third-party applications on it fails to detect new, unknown or evolving variants due to a
mobile devices may also be out-of-date. Some application lack of signature for such malware. Mobile malware has stayed
developers do not release software updates in a timely ahead by using transformation and obfuscation techniques to
manner or may have dropped support for older OS versions. evade detection. For example, polymorphic and metamorphic
Even if software updates are available, users may not update malware have the ability to modify their code as they propagate
applications on their mobile devices promptly. Using outdated so that signature-based detection techniques are unable to
software increases the risk that an attacker may exploit pick up on their virus signatures. As such, a new approach for
vulnerabilities associated with these software. malware analysis and detection is needed to ensure mobile
security.

Figure 1. Figure denoting different kinds of malware activities

DSTA HORIZONS | 2016 33

 SYSTEMATIC APPROACH TOWARDS Protection
MOBILE SECURITY
Protection is a key component of mobile security and covers
two main aspects. The first aspect is to prevent unwanted
DSTA adopts a systematic approach in assessing the mobile
threats from entering or affecting the mobile system.
threats discussed in the previous section. This approach
consists of five key elements – understanding, protection,
For example, having understood that malware can exist in
detection, response and education (see Figure 2). This
the form of an application package or file, incoming network
section discusses the use of this approach with reference to
traffic can be scanned at a network proxy or gateway to
application-based threats.
check for malicious payload before forwarding it to the device.
Applications and OS-es of devices are also updated timely to
patch any vulnerabilities.

Figure 2. Figure denoting the different elements in mobile security

Understanding The other aspect of protection is to protect sensitive data

from being leaked to unauthorised destinations. This can
Active monitoring of cyber space keeps the organisation be achieved by securing the network channel using virtual
informed of new threats that can affect security. When such private network and blocking outgoing traffic to unauthorised
threats are discovered, they are studied and assessed for any destinations using customised firewall rules.
impact to existing systems. Their mitigation measures will also
be identified. For example, when a malware attack is discovered, As most mobile devices transmit data through the wireless
understanding critical information such as attack vectors, network, it is possible for an attacker to analyse the network
malicious indicators and impact, can help organisations derive and steal critical data while it is in transit. Therefore, DSTA
an appropriate countermeasure. In cases where a solution is has implemented an encryption solution that entails storing
not readily available or is still being developed, these mitigation the encryption key on the user’s smartcard. This prevents
measures will be applied in the interim. unauthorised personnel from being able to read the content of
the encrypted data without the user’s smartcard.

34 DSTA HORIZONS | 2016

 CHALLENGES IN MOBILE SECURITY

Detection Capability and Scalability

In an application-based threat, malware is one of the key tools To empower mobile users with the capability to process
used by attackers to perform malicious activities on a mobile classified information on the move, DSTA designed and
device. The harm caused by malware and malicious activities developed a two factor authentication2 (2FA) solution for
can be reduced through early detection. The classic defence mobile devices using smartcard technology. The solution
method against malware is the use of anti-virus. However, consists of four components – the smartcard reader hardware,
malicious software writers have become more sophisticated, driver, smartcard middleware and client application. The client
often using mechanisms to change or obfuscate their codes applicaton requires the smartcard middleware and the driver to
to foil detection by classic security defences. As such, a new communicate with the smartcard and the reader respectively.
approach of employing a combination of static and dynamic To log in, the 2FA solution requires the user to present a
analysis, as well as machine learning techniques is proposed tangible asset that only he or she has, such as a smartcard, as
to achieve comprehensive results. well as enter a piece of information that only he or she knows,
such as a PIN.
Another detection methodology is to monitor and pick up
anomalous system activities and behaviours. Once an anomaly One of the challenges is in sourcing for a smartcard reader
is detected, alerts are triggered to the user and backend and interface that can work with mobile devices. Smartcard
reporting system. These alerts may provide information on the readers used for desktops are not suitable for mobile devices
malicious activities and can be correlated with other security due to interface or driver incompatibility. Furthermore, the
data to provide cyber defence engineers with useful information software driver and middleware need to be customised in order
to detect and respond to threats quickly. to work with certain hardware and mobile OS. Moreover, as
peripheral interfaces for mobile devices are changed every few
Response years, the smartcard solution may have to be modified or even
redeveloped often.
Incident response is an important element in any security
framework. When an incident occurs, the incident response DSTA overcame this issue by adopting a systems engineering
team will need to step in to contain it and conduct technical approach in which each component of the mobile smartcard
investigation. The prevention or mitigation method is then solution was designed to be modular and developed on an
reviewed to prevent similar incidents from occurring. open standard smartcard application interface, making the
solution flexible in adapting to changes in the mobile world.
In an application-based attack, the application used is analysed With this modular design, subsequent development of the
to understand its behaviour and other critical information mobile smartcard solution requires less development work.
required to assess its impact and derive appropriate Throughout the years, many peripheral interface options for
countermeasures. smartcard readers were explored, developed and delivered
for use in MINDEF. These include Secure Digital Input Output,
Education Compact Flash, Bluetooth and USB interfaces (see Figure 3).

Although many users may be aware that mobile devices are Hardware Limitations
actively targeted by malware, most still do not believe that they
will fall victim to these attacks. Thus, it is important to educate While the processor speed of mobile devices has gone up
users on the safe practices for mobile device usage and keep significantly over the last few years, the devices themselves are
them updated on new forms of attacks. still limited in terms of memory size, network connection and
physical interfaces. These can be limiting factors in solution
DESIGN CONSIDERATIONS OF design. For example, the mobile security solution needs to
be optimised for power efficiency as mobile devices tend to
MOBILE SOLUTION have shorter battery life. Network data transfer also has to be
minimised as data transfer over mobile network can incur high
DSTA’s design and development of mobile solutions gave rise
costs to users.
to some challenges and provided many learning points for the
organisation.

DSTA HORIZONS | 2016 35

 Figure 3: Illustration of different smartcard interfaces

In addition, the number of available interface ports on a device

EMERGING MOBILE MALWARE
may be a design consideration. Most mobile devices have only
one interface port that is also intended for charging. If a solution
DETECTION TECHNOLOGY
requires the use of an interface port for a long period of time,
This section discusses some emerging approaches for
the device will not be able to charge. Therefore, the number
analysing and detecting mobile malware and how they can be
of interface ports needs to be considered when selecting a
integrated into the larger defence infrastructure. Many research
suitable device.
institutes have studied these approaches which can be largely
categorised into static analysis, dynamic analysis and machine
Usability and Security
learning.

A traditional approach to enhance security is to fully harden

a device. This involves locking down the device, restricting
Static Analysis
users from downloading applications, mandating strong
Static analysis is the analysis of an application that is performed
authentication to access the mobile device and limiting
without actually executing the program. By performing a
connectivity, among other security measures. While this results
static analysis, an analyst can deduce the behaviours of
in a secured device, it may no longer be user-friendly enough
an application. Other useful information such as required
to meet the original intent as a technology enabler.
permissions, resources used and embedded strings can
also be discovered. Additionally, information such as header
As such, DSTA adopts a design strategy that takes into
files and database information can be extracted for analysis.
account the usability and security of the mobile security
For example, the RiskRanker project statically identified
solution. To achieve this, a threat risk assessment is
applications with different security risks. It detected properties
performed before designing any solution to identify the
such as encrypted code execution, dynamic code loading and
critical areas that must be secured and analyse how this may
various suspicious actions (Grace, Zhou, Zhang, Zuo, & Jiang,
affect usability. Any residual risk and proposed mitigation
2012).
methods are discussed with stakeholders to reach a common
understanding and agreement. This ensures that both security
Although static analysis incurs less performance overhead,
and usability are optimised while satisifying user requirements.
its effectiveness can largely be limited by techniques such as
code obfuscation, encrypted code and dynamic loading of
code during runtime.

36 DSTA HORIZONS | 2016

 CHALLENGES IN MOBILE SECURITY

Dynamic Analysis machine learning algorithms are able to correlate patterns and
trends to make predictions or classify observations. Machine
Dynamic analysis is the analysis of an application that learning-based malware detection allows organisations to
is performed by executing a program on a real or virtual classify an application as being either malicious or benign.
environment to observe its behaviours at runtime. These
behaviours include system calls at runtime, file accesses Static or dynamic analysis can be used to collect the data
and network information which are difficult to analyse solely required for machine learning. The former was used in the
with static analysis. A commonly used approach is the Drebin project which outperformed nine out of ten selected
sandbox concept whereby an inspected application is being anti-virus software with a detection rate of more than 93% (Arp,
executed in an emulator or virtual environment for behaviour Spreitzenbarth, Hübner, Gascon, & Rieck, 2014). The results
monitoring. For example, the DroidScope project provided show that these emerging techniques can be useful tools for
an open source implementation of a customised Android OS. protection against application-based threats.
This implementation is capable of collecting an application’s
behavioural information at different layers of the platform (Lok Proposed Integrated Malware Detection
& Heng, 2012). System

The information collected from these application sandboxes DSTA is continously experimenting and exploring solutions to
allows one to understand the behavioural characteristics of an enhance cybersecurity. One such solution is the adoption of an
application and provides insights that may be useful to combat integrated system approach in malware detection (see Figure
new and unknown malware. 4). This integrated system aims to combine and assess the
results from several backend detection engines that leverage
Machine Learning different detection techniques to derive a final assessment of
targeted applications. As no single technique is completely
Machine learning is a popular technique used in financial and robust and foolproof, a combination of the mobile malware
marketing industries to predict trends and user behaviour detection approaches can be integrated to complement
patterns. By analysing a large amount of real world data, signature-based detection.

Figure 4. Illustration of proposed Integrated malware detection system

DSTA HORIZONS | 2016 37

 The positive research findings from the use of emerging Lok, K. Y., & Heng, Y. (2012). DroidScope: seamlessly
technologies have led to the commercialisation of some reconstructing the OS and Dalvik semantic views for dynamic
research projects. However, most commercial-off-the-shelf Android malware analysis. USENIX Security Symposium 2012,
(COTS) solutions are only available with cloud-based offerings Bellevue, Washington. Retrieved from https://www.usenix.org/
which may not be suitable for use in the defence industry system/files/conference/usenixsecurity12/sec12-final107.pdf
due to security concerns. On the other hand, an on-premise
system requires updates and the timeliness of such updates SwiftKey. (2015, June 17). An update on the Samsung keyboard
needs to be assessed. Other considerations include the security vulnerability. Retrieved from http://swiftkey.com/en/
technical feasibility of integrating various COTS systems as blog/samsung-keyboard-security-vulnerability-swiftkey/
COTS products might not provide interoperable interfaces
for integration. Thus, various assessment need to be done ENDNOTES
to evaluate these products before they can be used. Despite
these various considerations, this integrated system shows 1 Wi-Fi Protected Access II (WPA2) is a security protocol
potential in detecting new and unknown malware that cannot for wireless networks that implements the National Institute
be picked up by signature-based detection techniques. of Standards and Technology FIPS 140-2 compliant AES
encryption algorithm and 802.1x-based authentication.
CONCLUSION
2 Two-factor authentication (also known as 2FA) is a
This paper has highlighted the various threats faced in mobile technology used to prove a user’s identity by requiring the
computing and provides a comprehensive framework in user to provide a combination of two components. These
securing the mobile cyber space. Mobility is a critical area of components may be something that the user possesses (e.g.
IT infrastructure that needs to be protected. To stay ahead of the user’s smartcard), and something that the user knows (e.g.
sophisticated cyber threats on mobile devices, the approaches a PIN).
presented in this article provide a systematic framework to
protect mobile devices against different categories of threats.
Some emerging techniques for malware detection are also
highlighted. With this framework, a more secure mobile
infrastructure can be delivered to MINDEF to further enhance
military enterprise functions and operations.

REFERENCES
Amit, Y. (2015, April 22). “No iOS zone” – a new vulnerability
allows DoS attacks on iOS devices. Retrieved from https://
www.skycure.com/blog/ios-shield-allows-dos-attacks-on-ios-
devices/

Arp, D., Spreitzenbarth, M., Hübner, M., Gascon, H., & Rieck, K.
(2014). Drebin: effective and explainable detection of Android
malware in your pocket. Network and Distributed System
Security Symposium, San Diego, California. Retrieved from
http://www.internetsociety.org/sites/default/files/11_3_1.pdf

Grace, M., Zhou, Y., Zhang, Q., Zou, S., & Jiang, X. (2012).
RiskRanker: scalable and accurate zero-day Android malware
detection. International Conference on Mobile Systems,
Applications, and Services, Lake District, United Kingdom,
281-294. doi: 10.1145/2307636.2307663

38 DSTA HORIZONS | 2016

 CHALLENGES IN MOBILE SECURITY

BIOGRAPHY
PANG Jian Hao Jeffrey is an Engineer
(Cybersecurity) who is currently involved in
the development of cybersecurity solutions
on mobile devices for DSTA, the Ministry
of Defence (MINDEF) and the Singapore
Armed Forces (SAF). Jeffrey graduated
with a Bachelor of Engineering (Computer
Science) degree with Honours from Nanyang
Technological University (NTU) in 2012.

CHUA Chee Leong is a Development

Manager (Cybersecurity) managing the
development of cybersecurity solutions to
detect and prevent cyber threats on mobile
devices. Chee Leong graduated with a
Bachelor of Engineering (Electrical and
Electronic Engineering) degree from NTU
in 1998. He further obtained a Master of
Engineering (Electrical and Electronic Engineering) degree from
NTU in 2000.

CHAN Guan Huat is a Development Manager

(Cybersecurity) designing, developing and
implementing cybersecurity solutions on
mobile devices. Guan Huat graduated with
a Bachelor of Engineering (Electrical and
Electronic Engineering) degree from NTU in
2002.

LIM Seh Leng is a Development Programme

Manager (Cybersecurity) who currently leads
the development of secure mobility solutions
for DSTA, MINDEF and the SAF. Seh Leng
graduated with a Bachelor of Engineering
(Electrical Engineering) degree with Honours
from the National University of Singapore in
1994.

DSTA HORIZONS | 2016 39