Introduction

Mobile devices pose a unique set of threats to enterprises. Typical enterprise protections, such as isolated enterprise sandboxes and the ability to remote wipe a device, may fail to fully mitigate the security challenges associated with these complex mobile information systems. Accordingly, a set of security controls and countermeasures that address mobile threats in a holistic manner must be identified, necessitating a broader view of the entire mobile security ecosystem. This view must go beyond devices to include, as an example, the cellular networks and cloud infrastructure used to support mobile applications and native mobile services.

Technology Stack

Mobile devices share some architectural similarities with their desktop counterparts, but there are significant distinctions between personal computers and these portable information systems. In addition to cellular functionality, including a number of radios, modern smartphones and tablets typically include a full suite of environmental sensors, cryptographic processors, and multiple wireless and wired communication methods. They also include a touch screen, audio interface, one or more high definition (HD) video cameras, and in odd edge cases unusual capabilities like video projectors.

For smart phones and tablets with cellular capabilities, a separation exists between the hardware and firmware used to access cellular networks and the hardware and firmware used to operate the general purpose mobile OS. The hardware and firmware used to access the cellular network, often referred to as the telephony subsystem, typically runs a real-time operating system (RTOS). This telephony subsystem is colloquially named the baseband processor, and may be implemented on a dedicated System on a Chip (SoC), or included as part of the SoC containing the application processor also running the general purpose mobile OS.

The firmware necessary to boot the mobile OS (i.e., bootloader) may verify additional device initialization code, device drivers used for peripherals, and portions of the mobile OS – all before a user can use the device. If the initialization code is modified or tampered with in some manner, the device may not properly function. Many modern mobile devices contain an isolated execution environment, which are used specifically for security-critical functions. For example, these environments may be used for sensitive cryptographic operations, to verify integrity, or to support Digital Rights Management. These environments typically have access to some amount of secure storage which is only accessible within that environment.

The mobile OS enables a rich set of functionality by supporting the use of mobile applications written by third-party developers. Accordingly, it is common for mobile applications to be sandboxed in some manner to prevent unexpected and unwanted interaction between the system, its applications, and those applications’ respective data (including user data). Mobile applications may be written in native code running closely to the hardware, in interpreted languages, or in high-level web languages. The degree of functionality of mobile applications is highly dependent upon the application programming interfaces (APIs) exposed by the mobile OS.

Communication

Contemporary mobile devices contain integrated hardware components to support a variety of I/O mechanisms. While some of the communication mechanisms are wireless (i.e., cellular, WiFi, Bluetooth, GPS, NFC), others require a physical connection (i.e., power and synchronization cable, SIM, external storage). As seen in the figure below, each of these different wireless and wired device communication mechanisms exposes the device to a distinct set of threats and must be secured or the overall security of the device may be compromised.

Subscriber Identity Module (SIM)

This removable hardware token is colloquially referred to as the Subscriber Identity Module (SIM) card, although current standards use the term Universal Integrated Circuit Card (UICC). This System on a Chip (SoC) houses the subscriber identity (i.e., International Mobile Subscriber Identity), pre-shared cryptographic keys, and configuration information needed to obtain access to cellular networks. The UICC is essentially a smartcard that runs a Java application known as the Universal Subscriber Identity Module (USIM), which is used to run a set of applications that control the phone’s access and authentication with the MNO’s cellular networks and roaming partners. It is possible to develop and run other applications on the Java Card platform, such as games and mobile payment applications.

As of the writing of this report, a technology called Embedded SIM (eSIM) is being integrated into some mobile devices. eSIMs will allow MNOs to remotely provision subscriber information during initial device setup, and allow the remote changing of subscription from one MNO to another. While this technology may radically change the way mobile devices are provisioned on the carrier network and therefore introduces a new set of threats.

Cellular Air Interface

The cellular air interface is arguably the defining networking interface for modern mobile devices. Initial cellular systems, such as second generation (2G) Global System for Mobile Communications (GSM) and third generation (3G) Universal Mobile Telecommunications System, were modeled after the traditional wireline circuit-switched telephone system. Each call was provided with a dedicated circuit providing a user making a telephone call with a baseline guarantee of service. In contrast, newer fourth generation (4G) Long Term Evolution (LTE) networks were designed to utilize a packet-switched model for both data and voice. An LTE network provides consistent IP connectivity between an end user’s mobile device and IP-based services on the packet data network (PDN).

There are many cellular network types, each with its own air interface standards. The cellular air interface is the technical term for the radio connection between a mobile device and the cellular tower. This air interface can generally communicate with many types of base stations (e.g., cellular towers) which come in many sizes and types — cellular repeater / relay nodes, and even other handsets.

MNOs strive to run high availability “carrier grade” services that operate over the air interface at the network level, and can integrate with other systems they operate. These services may include circuit switched calling, VoLTE (Voice over LTE), Unstructured Supplementary Service Data (USSD), integrated voicemail with notifications, and messaging (e.g., Short Messaging Service (SMS)). Carrier-grade messaging services are commonly referred to as text messages, but include SMS, the extension to SMS known as Multimedia Messaging Service (MMS), and the new Rich Communication Services (RCS). USSD is an aging method for establishing a real-time session with a service or application to quickly share short messages. Although not common within the United States, USSD is used in emerging markets for a number of services, including mobile banking.

WiFi

WiFi is a wireless local area network (WLAN) technology based on the IEEE 802.11 series of standards. WiFi is used by most mobile devices as an alternative to cellular data channels, or even the primary data egress point in WiFi-only mobile devies. WLANs typically consist of a group of wireless devices within a contained physical area, such as an apartment, office, or coffee shop, but more expansive enterprise or campus deployments are also common. While not guaranteed, campus or enterprise deployments are more likely to implement security features such as WPA2 encryption. Smartphones, laptops, and other devices utilizing WiFi often need to connect back to a central wireless access point (APs), but may work in a device-to-device ad hoc mode.

Global Navigation Satellite System (GNSS)

A GNSS provides worldwide geo-spatial positioning via the global positioning system (GPS), which uses line of sight communication with a satellite constellation in orbit to help a handset determine its location. These systems run independently of cellular networks. The US Federal Government operates a GPS constellation, although mobile devices may use other systems (e.g., GLONASS, Galileo). It should be noted that the GPS system is not the only way for a mobile device to identify its location. Other techniques include Wi-Fi assisted positioning, which leverages databases of known service set identifiers (SSIDs) and geolocation of IP addresses.

Bluetooth

Bluetooth is a short-range wireless communication technology. Bluetooth technology is used primarily to establish wireless personal area networks (PANs). Bluetooth technology has been integrated into many types of business and consumer devices including cell phones, laptops, automobiles, medical devices, printers, keyboards, mice, headphones, and headsets. This allows users to form ad hoc networks between a wide variety of devices to transfer data.

Near Field Communication (NFC)

NFC uses radio frequency emissions to establish low throughput, short-range communication between NFC-enabled devices. It is typically optimized for distances of less than 4 inches, but can potentially operate at and pose a threat at much greater distances. NFC is based on the radio frequency identification (RFID) set of standards. Mobile payment technology relies on NFC, which has led to NFC’s increasing visibility in recent years as newer mobile wallet technologies are being deployed on a large scale. The use of NFC for financial transactions make it attractive to criminal attackers with the goal of financial gain.

Secure Digital (SD) Card

The SD card standard comprises various form factors that offer different performance ratings and storage capacities. SD cards are typically used to expand the storage capacity of mobile devices to store data such as photos, videos, music, and application data. SD cards are not integrated into every mobile device, although the use of SD cards is particularly popular in developing nations where built-in storage may be uncommon.

Power & Synchronization Port

The power and synchronization port on a mobile device is most often used to charge a mobile device, and may take the form of Universal Serial Bus (USB) Type-C, Micro-USB, Apple Lightning, or Apple 30 pin. The cable is also used to carry data to, or access the device from, another information system. Use cases include data synchronization with or backup to a PC, or provisioning into an Enterprise Mobility Management system. This cable may also be used to charge another device in some circumstances. Because of this dual use of power and data, this interface is used as a vector for a number of attacks.

Supply Chain

Mobile devices are designed, manufactured, distributed, used, and disposed of in a manner similar to other commercial electronics. Unique threats to mobile devices exist at every part of this lifecycle. Supply chain threats are particularly difficult to mitigate because mobile device components are under constant development and are sourced from tens of thousands of original equipment manufacturers (OEMs). Some subcomponents of mobile devices (e.g., baseband processors) require matched firmware developed by the OEM. This firmware can itself contain software vulnerabilities and can increase the overall attack surface of the mobile device.

Of the layers presented in the mobile device technology stack, a variety of different organizations own or control different parts. In the case of Apple’s highly vertically integrated iOS devices, Apple develops the mobile operating system, as well as the majority of the specialized firmware and hardware components. In contrast, Google’s Android ecosystem is almost completely vertically sliced with both hardware and software components being supplied by tens of thousands of vendors. Google does not manufacture any hardware components, although they do form partnerships to create the Google-branded Nexus series of Android reference devices. An independent handset manufacturer may design a majority of the hardware and firmware to operate an Android device, and even customize the Android user interface; however, they still need Google’s core Android OS to be part of the massive Android application ecosystem. This entire design and manufacturing process has the potential to markedly influence the security architecture of the resulting mobile device.

Mobile Ecosystem

Mobile devices do not exist in a vacuum – a series of networks and interconnected systems exist to support modern mobility. The utility of modern mobile devices is greatly enhanced by software applications and their supporting cloud services. Mobile OSs provide dedicated application stores for end users offering a convenient and customized means of adding functionality. Application stores pose an additional threat vector for attackers to distribute malware or other harmful software to end users. This is especially true of third-party application stores not directly supervised by mobile OS vendors.

Cellular Infrastructure

MNOs build out cellular base stations over a large geographic area. These base stations modulate and demodulate radio signals to communicate with mobile devices. Base stations forward mobile device information, such as calls, messages, and other data, to other base stations and a cellular network core. The cellular network core contains anchor points to communicate with other networks, such as other MNO’s cellular networks, WiFi networks, the Internet, and the PSTN. Cellular network cores also rely upon authentication servers to use and store customer authentication information.

Public Application Stores

Major mobile operating vendors own and operate their own native mobile application stores, which host mobile applications for users to download and install. These stores also provide music, movies, video games, and more. Access to these stores is natively installed and configured into mobile devices. Third-party mobile application stores also exist for most mobile operating systems. These third-party application stores may be explicitly built into the mobile OS, or they may be added as additional functionality for jailbroken or rooted devices. Third-party application stores may be completely legitimate, but may also host applications that commit substantial copyright violations or “cracked” versions of applications that allow users to install and use paid applications for free.

The native application stores are hosted and operated by their respective mobile OS developers.

Private Application Stores

Many enterprises and other organizations host their own mobile application stores. These stores either host, or link to, a set of applications for an organization’s users to access. These applications may be privately developed applications that organizations do not wish to be made public, or they may be publicly available applications that have been specifically approved for enterprise use. The servers used to host these applications may be privately hosted and operated by the enterprise, or hosted and operated by a third-party cloud provider.

Device & OS Vendor Infrastructure

Mobile OS developers often host infrastructure to provide updates and patches to a mobile device’s OS and native applications. Other cloud-based applications may be provided as well, including functionality to locate, lock, or wipe a missing device or to store user data (e.g., pictures, notes, music).

Enterprise Mobility Management Systems

Enterprise Mobility Management (EMM) systems are a common way of managing mobile devices in an enterprise. Although EMMs are not directly classified as a security technology, they can help to deploy policies to an enterprise’s device pool and to monitor a device’s state. Mobile OS developers provide APIs for EMM systems to deliver mobile policies, such as only allowing a whitelisted set of applications to run; ensuring a lock screen security policy is met; and disabling certain device peripherals (e.g., camera). EMMs can also use APIs to gather data about various aspects of a mobile device’s state.

Enterprise Mobile Services

Email, contacts, and calendars are common workforce drivers, and are the cornerstone applications in mobile devices that are deployed by enterprises. Directory services are also deployed in an enterprise and used by mobile devices. Enterprises may also make other services available to mobile devices depending on their specific mission needs and requirements.

Mobile Device Technology Stack

In order to fully address the inherent threats of mobile devices, a wider view of the mobile ecosystem is necessary. The mobile device technology stack consists of the hardware, firmware, and software used to host and operate the mobile device.

• Mobile Applications: The Applications contains threats related to software application developed for a mobile device, or more specifically a mobile operating system.
• Mobile Operating System: Operating system specifically designed for a mobile device and running mobile applications.
• Device Drivers: Plug-ins used to interact with device hardware and other peripherals (e.g., camera, accelerometer).
• Isolated Execution Environments: Hardware or firmware-based environment built into the mobile device that may provide many capabilities such as trusted key storage, code verification, code integrity, and trusted execution for security relevant processes.
• SD Card: SD cards are removable memory used to expand the storage capacity of mobile devices to store data such as photos, videos, music, and application data.
• Boot Firmware: The firmware necessary to boot the mobile OS (i.e., bootloader). Firmware may verify additional device initialization code, device drivers used for peripherals, and portions of the mobile OS – all before a user can use the device.
• Baseband Subsystem: The collection of hardware and firmware used to communicate with the cellular network via the cellular radio.
• SIM Card: This removable hardware token is a SoC housing the IMSI, pre-shared cryptographic keys, and configuration information needed to obtain access to cellular networks.

Cellular

Threats exist to a number of cellular systems, broken into the following subcategories

• Air Interface: The cellular air interface is the radio connection between a handset and a base station. There are many cellular network types each with its own air interface standards which as a total set are extremely flexible and primarily communicate with base stations.
• Consumer grade small cell: Small cells are often used to extend cellular network coverage into homes, offices, and other locations lacking service.
• Carrier-grade Messaging Services: Messaging services (i.e., SMS, MMS, RCS) allow text, photos, and more to be sent from one device to another. Although third-party messaging services exist, carrier-grade messaging services are pre-installed on nearly every mobile phone, and are interoperable with most MNOs’ networks.
• USSD: A method for establishing real-time sessions with a service or application to quickly share short messages. Although USSD messages may travel over SMS, the protocol itself is distinct.
• Carrier Infrastructure: This category includes threats to the base stations, backhaul and cellular network cores.
• Carrier Interoperability: This subcategory is primarily reserved for signaling threats associated with the Signaling System No. 7 (SS7) network.
• VoLTE: The packet switched network application used for making voice calls within LTE. Although not supported in all MNO networks, large-scale rollouts are underway throughout the world.

LAN & PAN

This threat category consists of local and personal area wireless network technologies.

• WiFi: WiFi is a WLAN technology based on the IEEE 802.11 series of standards.
• Bluetooth: Bluetooth is a medium-range, lower power, wireless communication technology.
• NFC: NFC is a short range wireless communication technology commonly used for mobile wallet technologies and peripheral configuration, although a number of other applications exist.

GPS

A network of orbiting satellites used to help a device determine its location.

Authentication

Authentication mechanisms are grouped within the three subcategories listed below. Individual credential and token types are not broken into their own categories and are instead included within one of these three broad categories.

• User to Device: Mechanisms used to authenticate with a mobile device, such as passwords, fingerprints, or voice recognition. This is most often local authentication to a device’s lock screen.
• User or Device to Remote Service: Mechanisms a user or a distinct non-person entity (NPE) uses to remotely authenticate to an external process, service, or device.
• User or Device to Network: Mechanisms a user, mobile device, or peripheral uses to authenticate to a network (e.g., Wi-Fi, cellular). This commonly includes proving possession of a cryptographic token.

Supply Chain

Includes threats related to the device and component supply chain. To the extent that they are included, software supply chain related threats are noted within the Exploitation of Vulnerabilities in Applications category.

Physical Access

This category includes general threats originating from outside of the device, such as device loss and malicious charging stations.

Ecosystem

This category includes threats related to the greater mobile ecosystem includes a number of items, including EMMs, mobile OS vendor infrastructure, and mobile enterprise services such as email, contacts, and calendar.

• Mobile OS Vendor Infrastructure: Infrastructure provided by the OS developer to provide OS and application updates, alongside auxiliary services such as cloud storage.
• Native Public Stores: Major mobile operating system vendors own and operate their own native mobile application stores, which host mobile applications alongside music, movies, games, etc. for users to download and install.
• Private Enterprise Stores: Application stores may be owned and operated by private enterprises to host applications not meant for public distribution, such as applications developed and used solely within the organization.
• Third-Party Stores: Other legitimate, and illegitimate, application stores may be owned and operated by organizations external to the major mobile operating system vendors.

Enterprise Mobility

This threat category comprises enterprise mobility management systems and threats to enterprises services.

Payment

Threats related to mobile payments are included within this category, including a variety of mobile payment technologies such as USSD, NFC-based payments, and credit card tokenization. Although general threats relating to USSD and NFC are included elsewhere, threats relating to payment specific use cases are captured here.

Access the Full Mobile treate Catalogue here

How Can ITM Help You?

iTM covers all aspects of Cyber Security including but not limited to Home cyber security managed solutions to automated, manage threat intelligence, forensic investigations, Cloud security best practice & architecture and cyber security training. Our objective is to support organisations and consumers at every step of their cyber maturity journey. Contact Us for more information.