Study into the Implications of Smartphone Operating System Security

Recommendations

Info

Study into the implications of Smartphone operating system security 5. Jails (or walled gardens): This is closing the sideloading feature. ENISA recommends that “the Smartphone should either be blocked from using untrusted app stores or , for expert users, present clear warnings about installing from untrusted sources”. United States of America Government policy and regulation According to Lookout Mobile Security’s Tim Wyatt the US Government is “getting more involved in Smartphone security with the regulator getting more involved with privacy issues around the use of these devices.” FTC vs. HTC A clear indication of the US regulatory bodies “getting more involved” was the recent legal action against Taiwanese Smartphone manufacturer, HTC. In February 2013, the US’ Federal Trade Commission (FTC), similar to the UK’s Office of Fair Trading (OFT), announced a settlement made by HTC after facing charges from the FTC that “it failed to secure millions of mobile devices shipped to consumers”. As a result of the settlement it was required to patch vulnerabilities on HTC Smartphones and tablet computers and to “establish a comprehensive security program designed to address security risks during the development of HTC devices”. According to a FTC press release, HTC “failed to take reasonable steps to secure the software it developed for its smartphones and tablet computers, introducing security flaws that placed sensitive information about millions of consumers at risk.” In a very indicting statement the FTC statement went on to say that “HTC America failed to employ reasonable and appropriate security practices in the design and customization of the software on its mobile devices” and “failed to follow well-known and commonly accepted secure coding practices, and failed to establish a process for receiving and addressing vulnerability reports from third parties”. Goode Intelligence © 2013 P a g e | 103 www.goodeintelligence.com
Study into the implications of Smartphone operating system security The FTC complaint revealed specific vulnerabilities that had been found on HTC’s devices including: Insecure implementation of two logging applications, Carrier IQ and HTC Loggers Programming flaws that would allow third-party applications to bypass Android’s permission-based security model This action by the FTC has been considered to be a milestone in Smartphone security. A government body taking legal action against a Smartphone manufacturer for poor security implementation. If the FTC has decided to intervene against HTC in its duty to protect USA consumers against Smartphone security threats, the question has to be asked “is this just the start of legal action and who could be next?” It sends out a clear warning to other vendors operating in this sector not to treat security lightly. As a follow-up to this case the FTC is planning to hold a public forum on malware and other mobile security threats on 4 June 2013. Federal Communications Commission (FCC) Smartphone Initiatives Another US Government body, the Federal Communications Commission (FCC) has responded to the Smartphone security threat with a number of initiatives that were started in April 2012. The FCC is Ofcom’s US counterpart who regulates “interstate and international communications by radio, television, wire, satellite and cable”. In April 2012, the FCC announced new initiatives to “combat massive smartphone and data theft”. 98 In a joint announcement with US State Police Departments and the Mayor of Washington D.C., Vincent Gray, the FCC highlighted the problem of Smartphone theft quoting New York City Police figures that “more than 40 percent of all robberies in New York City involve Smartphones”. A new initiative was announced, with the support of the US MNO (carrier) community, to “implement a database to prevent use of stolen Smartphones”. The central stolen Smartphone database was to be rolled out in an 18 month timeframe. Alongside the stolen Smartphone database initiative the FCC announced a number of other initiatives that aimed to raise consumer awareness through channels such as the US MNO (carrier) and handset manufacturer communities. These included (and the following is a direct quote from the FCC press release): “Encourage users to lock their phones with passwords: o Smartphone makers will notify and educate users in the most highly visible ways – through messages on the Smartphone itself and through “Quick Start” user guides – about how to use passwords to deter theft and protect their data Educate users in lock/locate/wipe applications: 98 FCC Press Release; “Announcement of New Initiatives to Combat Smartphone and Data Theft”. Released 10 April 2012. http://www.fcc.gov/document/announcement-new-initiatives-combatsmartphone-and-data-theft Goode Intelligence © 2013 P a g e | 104 www.goodeintelligence.com
Page 1 and 2:
www.goodeintelligence.com £ Study
Page 3 and 4:
Study into the implications of Smar
Page 5 and 6:
Page 7 and 8:
Page 9 and 10:
Page 11 and 12:
Page 13 and 14:
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Page 51 and 52:
Page 53 and 54: Study into the implications of Smar
Page 103: Study into the implications of Smar
show all

Study into the Implications of Smartphone Operating System Security

Create successful ePaper yourself

Delete template?

Save as template?