System Integrity for Smartphones : A security evaluation of iOS and BlackBerry OS

Sammanfattning: Smartphones are one of the most popular technology gadgets on the market today. The number of devices in the world is growing incredibly fast and they have today taken an important place in many person's everyday life. They are small, powerful, always connected to the Internet and they are usually containing a lot of personal information such as contact lists, pictures and stored passwords. They are sometimes even used as login tokens for Internet bank services and web sites. Smartphones are, undoubtedly, incredible devices! But are smartphones secure and is stored information safe? Can and should these devices be trusted to keep sensitive information and personal secrets? Every single day newspapers and researcher warns about new smartphone malwares and other security breaches regarding smartphones. So, are smartphones safe to use or are they a spy's best friend in order to surveil a person? Can a user do anything to make the device more secure and safe enough to use it in a secure manner? All these questions are exactly what this paper is about! This paper is addressing two popular smartphone platforms, iOS and BlackBerry OS, in order to evaluate how secure these systems are, what risks that occur when using them and how to harden the platform security to make these platforms as secure and safe to use as possible. Another aim of this paper is to discuss and give suggestions on how a separate and dedicated hardware token can be used to improve the platform security even further. In order to evaluate the security level of these platforms, a risk and threat analysis has been made as well as some practical testing to actually test what can be done. The test part consists mostly of a proof-of-concept spyware application implemented for iOS and an IMSI-catcher used to eavesdrop on calls by using a rogue GSM base transceiver station. The implemented spyware was able to access and transfer sensitive data from the device to a server without notifying the user about it. The rogue base station attack was even scarier since with only a few days work and equipment for less than $1500 can smartphones be tricked to connect to a rogue base station and all outgoing calls can be intercepted and recorded. The risk analysis resulted in not less than 19 identified risks with mixed severity of the impact. Some configurations and usage recommendation is given in order to prevent or mitigate these risks to make the usage of these platforms safer. The aim of suggesting how a hardware token can be used to strengthening these platforms have been a bit of failure since no really working suggestion has been possible to give. It is a result of that these systems are tightly closed for modification by third parties, and such modifications are needed in order to implement a working hardware token. However, a few partial suggestions for how such a token can work are given. The result of this work indicates that neither iOS nor BlackBerry OS is entirely secure and both need to be configured and used in a correct way to be safe for the user. The benefits of a hardware token should be huge for these systems but the implementations that are possible to do is not enough and it might not be of interest to implement a hardware token for these systems at the moment. Some of the identified risks require the attacker to have physical access to the device and this can only be prevented if the user is careful and acts wisely. So, if you want to use high technology gadgets such as smartphones, be sure to be a smart user!