Abstract
Smartphones host operating systems that are on a par with modern desktop environments. For example, Google Android is a mobile operating system that is based upon a modified version of the Linux OS. Notwithstanding traditional threats to mobile phones, threats to desktop environments are also applicable to smartphones. Management of security configurations for the end-user has, to date, been complex and error-prone. As a consequence, misconfiguration of and/or a poor understanding of a security configuration may unnecessarily expose a smartphone to known threats. In this paper, a threat-based model for smartphone security configuration is presented. To evaluate the approach, a prototype smartphone security agent that automatically manages security configurations on behalf of the end-user is developed. A case study based on firewall access control demonstrates how automated security configuration recommendations can be made based on catalogues of countermeasures. These countermeasures are drawn from best-practice standards such as NIST 800-124, a guideline on cell phone and PDA security and NIST 800-41-rev1, a guideline on firewall security configuration.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
http://www.vodafone.ie/internet-broadband/internet-on-your-mobile/usage/
Thinking about risk - managing your risk appetite: A practitioner’s guide. HM Treasury on behalf of the Controller of Her Majesty’s Stationery Office (HMSO) (November 2006)
Al-Shaer, E.S., Hamed, H.H., Boutaba, R., Hasan, M.: Conflict Classification and Analysis of Distributed Firewall Policies. IEEE Journal on Selected Areas in Communications 23(10), 2069–2084 (2005)
Balanza, M., Abendan, O., Alintanahin, K., Dizon, J., Caraig, B.: Battery Discharge Characteristics of Wireless Sensor Nodes: An Experimental Analysis. In: 2nd Conference on In Sensor and Ad Hoc Communications and Networks. IEEE (September 2005)
Balanza, M., Abendan, O., Alintanahin, K., Dizon, J., Caraig, B.: DroidDreamLight Lurks Behind Legitimate Android Apps. In: 6th International Conference on Malicious and Unwanted Software (MALWARE) (April 2011)
Buennemeyer, T.K., Gora, M., Marchany, R.C., Tront, J.G.: Battery Exhaustion Attack Detection with Small Handheld Mobile Computers. In: IEEE International Conference on In Portable Information Devices (PORTABLE) (May 2007)
Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in android. In: 9th International Conference on Mobile Systems, Applications, and Services (MobiSys), ACM, USA (2011)
Cuppens, F., Cuppens-Boulahia, N., García-Alfaro, J.: Detection and Removal of Firewall Misconfiguration. In: IASTED International Conference on Communication, Network and Information Security (CNIS) (November 2005)
Cuppens, F., Cuppens-Boulahia, N., Sans, T., Miège, A.: A Formal Approach to Specify and Deploy a Network Security Policy. In: 2nd Workshop on Formal Aspects in Security and Trust (FAST) (August 2004)
Foley, S.N., Fitzgerald, W.M.: Management of Security Policy Configuration using a Semantic Threat Graph Approach. Journal of Computer Security (JCS) 19(3) (2011)
Gheorghe, L.: Designing and Implementing Linux Firewalls with QoS using netfilter, iproute2, NAT and l7-filter. PACKT Publishing (October 2006)
Hernan, S., Lambert, S., Ostwald, T., Shostack, A.: Uncover Security Design Flaws Using The STRIDE Approach, http://microsoft.com/
Jansen, W., Scarfone, K.: Guidelines on Cell Phone and PDA Security: Recommendations of the National Institute of Standards and Technology. NIST-800-124 (2008)
Khadem, S.: Security issues in smartphones and their effects on the telecom networks. MSc Dissertation, Chalmers University of Technology, University of Gothenburg, Sweden (August 2010)
Lyon, G.: NMAP Network Scanning: Official Nmap Project Guide to Network Discovery and Security Scanning. Insecure LLC, CA, United States (2008)
Marmorstein, R., Kearns, P.: A Tool for Automated iptables Firewall Analysis. In: USENIX Annual Technical Conference, Freenix Track, pp. 71–81 (April 2005)
Ruggiero, P., Foote, J.: Cyber threats to mobile phones. TIP-10-105-01, United States Computer Emergency Readiness Team (US-CERT) (April 2010)
Saha, B., Goebel, K.: Modeling Li-ion Battery Capacity Depletion in a Particle Filtering Framework. In: Annual Conference of the Prognostics and Health Management Society, San Diego, CA, USA (September 2009)
Scarfone, K., Hoffman, P.: Guidelines on Firewalls and Firewall Policy: Recommendations of the National Institute of Standards and Technology. NIST Special Publication 800-41, Revision 1 (September 2009)
Scarfone, K., Souppaya, M.: User’s Guide to Securing External Devices for Telework and Remote Access: Recommendations of the National Institute of Standards and Technology. NIST-800-114 (2007)
Schmidt, A.D., Bye, R., Schmidt, H.G., Clausen, J., Kiraz, O., Yüksel, K.A., Camtepe, S.A., Albayrak, S.: Static analysis of executables for collaborative malware detection on android. In: Proceedings of the 2009 IEEE International Conference on Communications, ICC 2009. IEEE Press, Piscataway (2009)
Shabtai, A., Fledel, Y., Kanonov, U., Elovici, Y., Dolev, S., Glezer, C.: Google android: A comprehensive security assessment. In: Security and Privacy, vol. 8(2). IEEE Computer Society (March 2010)
Shabtai, A., Kanonov, U., Elovici, Y., Glezer, C., Weiss, Y.: “andromaly”: a behavioral malware detection framework for android devices. J. Intell. Inf. Syst. 38(1) (February 2012)
Shirey, R.: RFC 2828: Internet Security Glossary (May 2000), http://ietf.org
Souppaya, M., Scarfone, K.: Guidelines for Securing Wireless Local Area Networks (WLANs): Recommendations of the National Institute of Standards and Technology. NIST-800-153 (2012)
Suehring, S., Ziegler, R.L.: Linux Firewalls, 3rd edn. Novell Publishing (2006)
Wack, J., Cutler, K., Pole, J.: Guidelines on Firewalls and Firewall Policy: Recommendations of the National Institute of Standards and Technology. NIST-800-41 (2002)
Wei, X., Gomez, L., Neamtiu, I., Faloutsos, M.: Malicious Android Applications in the Enterprise: What Do They Do and How Do We Fix It? In: Workshop on Secure Data Management on Smartphones and Mobiles, Washington D.C (April 2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Fitzgerald, W.M., Neville, U., Foley, S.N. (2013). Automated Smartphone Security Configuration. In: Di Pietro, R., Herranz, J., Damiani, E., State, R. (eds) Data Privacy Management and Autonomous Spontaneous Security. DPM SETOP 2012 2012. Lecture Notes in Computer Science, vol 7731. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35890-6_17
Download citation
DOI: https://doi.org/10.1007/978-3-642-35890-6_17
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-35889-0
Online ISBN: 978-3-642-35890-6
eBook Packages: Computer ScienceComputer Science (R0)