SRG Goes Mobile, Part One -- An Unsolvable Problem

For the first time, Fortify's Security Research Group investigated platforms and applications in the mobile space. In an upcoming post, SRG summer intern turned Ph.D. candidate Clint Gibler will detail his foray into iOS. Here we consider general security issues with mobile. We will go on to discuss how these vulnerabilities manifest in Google's Android operating system and applications.

The foremost security flaw with mobile is that you will lose your hardware. You may lose it to theft, you may hand your phone to a nefarious airport personnel for a few minutes as you walk through the metal detector. Moving away from the sinister side of the spectrum, you may inadvertently leave your phone in a bar. You may innocently recycle your phone when you upgrade to the newer model. Regardless of scenario, losing control of your multi-hundred dollar hardware hands over access to gigabytes of your valuable data: your contacts, your stored passwords, sensitive documents riding along as e-mail attachments.

We acknowledge this problem is endemic to mobile. Any data storage platform is a target for theft: a desktop machine, a laptop, thumb drive, or smartphone; even a manila folder. The risk of loss grows as the device size shrinks. Also, the target's value increases in proportion to its capacity. Thirdly, as a device performs more functions, there exist more types of information on it. A mobile phone contains a list of phone numbers, but a web-enabled mobile computing platform can contain this and bank account information and sensitive documents. Hence we believe that a mobile device like an Android-enabled phone lives in an attacker's sweet spot.

No software solution will prevent losing your phone. Fortify's Security Research Group addressed the resultant data loss by ensuring that sensitive data is not written to an unprotected location in Android. As your phone gains more of the functionality of you computer, you must protect it as such. For example, Android provides full support for SQLite databases that an application may use for structured storage. Mostly full, that is; SQLite mostly mitigates your fears of SQL injection, mostly. Analogous to your desktop, your mobile platform opens itself to attack through its software. These security issues - data loss and malware - exist for the Android platform.