The Potential for Data Loss from “Security Protected” Smartphones
Smartphones have been widely adopted by organisations for day to day business and operational use, and employees can often access their work related data by connecting to corporate networks using their Smartphones. Many organisations have corporate policies for acceptable usage of computer equipment, which are now being extended to the use of Smartphones, for example the mandatory usage of antivirus software to prevent data loss or corruption. This article first highlights some differences between traditional computer and Smartphone operating systems (OS) and considers various security features provided by Smartphone OS. The article then calls into question the effectiveness of Smartphone antivirus software by presenting an effective malware attack as a practical proof of concept.
2 Comparison of Smartphone and Traditional Computer OS
The architecture of Smartphone operating systems like Google Android and Apple iOS are different to the traditional computer OS. Some characteristics and flaws are discussed in the following sections.
2.1 Traditional Computer OS
The security architecture of a traditional computer operating system has a number of rings. For example, the x86 architecture has four rings ; ring 0 is used for kernel, ring 1 is used for device drivers, ring 2 is used for System services and APIs and ring 3 is used for user applications. However, some major operating systems including Microsoft Windows  and Linux only implement two rings. Ring 0 is used for kernel and device drivers whereas ring 3 is used for user applications. The potential risk of such an implementation is that, if a malicious application manages to compromise a device driver, it could also compromise the kernel and in turn the whole OS. This leads to the serious situation whereby a rogue application might get root or kernel access . Another potential weakness is that an OS may not isolate applications based on users. This is illustrated in Figure 1 in which the task manager shows applications sharing common usernames 'User1' and 'SYSTEM'. There may be security risks if all user applications have the same rights as that of the logged in user and if applications can share each other’s resources.
Figure 1 Windows Task Manager shows applications sharing 'User Name'
2.2 Smartphone OS
Smartphone operating systems, such as Android and iOS, implement a kind of ring (or layered) architecture. For example, Figure 2 shows the Android structure .
Figure 2 Android Architecture
The basic principle is that user applications run in the application layer and only Android OS services should get system level access and be able to run as ‘root’. This is true for normal non “jail-broken” phones. A jail-broken phone is a phone that bypasses limitations imposed by the OS so that users can install custom applications and even get root access. Clearly the practical feasibility of jail-breaking Smartphones and then misusing privileges is a major security concern and a related experiment is described in section 4.
Typically a Smartphone records the permitted access to system resources when the application is installed by the user. A unique user identifier (ID) is created for every application at the time of installation. The OS maintains the details of the access rights for every user ID . The username for an installed application can be different for the same application on different phones. The OS should not allow access to resources unless the user has granted permission. Android and iOS implement process isolation whereby each application runs in its own sandbox so that an application should not be able to access resources of other applications . If an application is compromised, the damage should then be limited to the application and the resources it has access to. However, if the rogue application is somehow given root access then the potential for damage is great.
3 Comparison of Computer Antivirus with Smartphone Antivirus Software
If a company is concerned about IT security risks then its security policy may mandate the use of computer antivirus software to protect against threats such as a virus, Trojan, malware, malicious code, root kits, intrusion and web content. Enterprise antivirus solutions provide additional features including system lock-down, application and device control, application white listing and blacklisting, host integrity and network access control. Smartphone antivirus products typically support antivirus, web content filtering, anti-theft, parental control and call/text blocking.
The architecture of a traditional computer operating system allows an antivirus application to gain kernel or root access. Figure 3 shows that Symantec antivirus, ‘Smc.exe’ is running as ‘SYSTEM’. The user ‘SYSTEM’ is used by the OS.
Figure 3 Symantec Antivirus (Smc.exe) Running as 'SYSTEM'
However, a very important difference for Smartphone antivirus is that it does not have root or kernel access. In fact an antivirus on a Smartphone is just like any other user application. Figure 4 illustrates that Symantec Mobile security is running on an Android phone as user ‘app_39’.
Figure 4 Symantec Mobile Security Running as user 'app_39'
4 Proof of Concept Exploit Against Smartphone Security
An experiment was carried out in order to assess the practicality of bypassing Smartphone control of security privileges and also the security products which are meant to provide protection. The first stage of the process was to jailbreak the phone by using CyanogenMod. The phone in question was a HTC G1 Android phone, but other phones including iPhones could have been targeted with a similar type of approach. The processes for jail-breaking are described on the Internet  and when successfully executed provide unrestricted application download and root access to the OS. There is a terminal for direct access or the privileges can be granted to user applications. Whilst the development of a jail-breaking strategy/utility requires expertise, to use the utility is relatively simple. A user just needs to follow a sequence of steps, and importantly this is no longer considered as an illegal activity.
A proof of concept malware ‘safebot’  was loaded onto the phone. The malware actually deleted SMS messages soon after reception by the phone, without them ever reaching the application layer or alerting the user on the display of the phone. Smartphone antivirus products i.e. Norton Mobile security and McAfee Mobile Security were loaded in turn to try and address this problem. Unfortunately neither product could detect the presence or operation of the malware. However, the same malware file 'safebot' is detected as Backdoor.Trojan on computer by Anti-virus products. This means that an attacker could potentially introduce a rogue application (root kit) in the security architecture which can effectively eavesdrop, modify, delete and generate data between the connecting layers. The reason for this can be seen in Figure 5; the malware is running with 'root' access whereas the antivirus is running at the application layer.
Figure 5 Proof of Concept 'Safebot' Malware Running as 'Root' on a rooted Android phone.
5 Conclusions and Suggestions
From a security perspective it is clear that traditional computer platforms are far from perfect, however their problems are reasonably well understood and there are third party products such as antivirus software that can help add protection. Our investigations have shown that commonly used Smartphone platforms have significant differences to traditional computers and cannot be compromised easily. Evidence from experiment shows that malware may be installed with root access on 'jail-broken' smartphones and yet remain invisible to commercial anti virus products that are restricted to the application layer. Malware that has root privilege has access to all the system resources and can potentially exfiltrate data such as files, contacts, browsing history, web form data and other user sensitive information without the users consent. It is the ability for applications to get root access that is the main concern and security policy should certainly forbid use of jail-broken Smartphones for corporate use. Organizations should consider using tools like 'Mobile Device Management' and 'Network Access Control' for smartphones.
Author: Vikas Rajole (firstname.lastname@example.org) M.Sc. Information Security from Royal Holloway, University of London.
Co-authors: Dr. Keith Mayes (Keith.email@example.com) Director, Smart Card Center, Royal Holloway University of London.
Kostantinos Markantonakis (K.Markantonakis@rhul.ac.uk) Professor at Royal Holloway, University of London.
 X86 Ring Architecture http://en.wikipedia.org/wiki/Ring_(computer_security)
 Windows Architecture http://technet.microsoft.com/en-us/library/cc76812...
 White Paper: Symantec Security Response – Windows Rootkit Overview http://www.symantec.com/avcenter/reference/windows... Page 5
 Android Architecture http://developer.android.com/guide/basics/what-is-...
 Android Application Sandbox http://source.android.com/tech/security/index.html
 Whitepaper by Symantec – “A Window Into Mobile Device Security”, http://www.symantec.com/content/en/us/about/media/...
 YouTube video link on "How To Root T-Mobile G1 with Android 1.6"
 Georgia Weidman's website that provides the download link for "Proof of Concept" safebot malware, http://www.grmn00bs.com/2011/07/11/more-Android-sm...