Important Note - Interest is terrible thing to waste. Where are you?

\/ w4rri0r \/Hacking is not a crime - It's an art of Awareness. \/ w4rri0r mission \/ is to make the information systems more secure, more aware, more reliable and protect against possible security breaches.

\/ w4rri0r \/ internationally recognized as a Security Researcher or White-Hat Hacker and Hall of Fame by Google, Microsoft, Yahoo, AppleRedHat, AT&T, Adobe, PayPal, Yandex, eBay, Deutsche TelekomBarracuda Networks, Nokia Siemens Network, Tuenti, Opera, BlackBerry, Nokia, SpotifyZynga, Netflix, iFixit, Basecamp, SoundCloudConstant Contact, Xmarks, LaunchKey, Zendesk and we are currently building \/ w4rri0r group \/ and inviting to join worldwide Security Researchers and Professionals. If you think you can contribute anything for \/ w4rri0r group \/ you are heartily invited and we'll give credit for your contribution and is greatly appreciated. [Launching soon]

If you have any questions, ideas, suggestions or contributions please do not hesitate to contact @ This email address is being protected from spambots. You need JavaScript enabled to view it. and will respond you within 24 hours.

Open Panel
  • Register

Mobile Security

Mobile security or mobile phone security has become increasingly important in mobile computing. It is of particular concern as it relates to the security of personal information now stored on smartphones.

More and more users and businesses use smartphones as communication tools but also as a means of planning and organizing their work and private life. Within companies, these technologies are causing profound changes in the organization of information systems and therefore they have become the source of new risks. Indeed, smartphones collect and compile an increasing amount of sensitive information to which access must be controlled to protect the privacy of the user and the intellectual property of the company.

All smartphones, as computers, are preferred targets of attacks. These attacks exploit weaknesses related to smartphones that can come from means of communication like SMS, MMS, wifi networks, and GSM. There are also attacks that exploit software vulnerabilities from both the web browser and operating system. Finally, there are forms of malicious software that rely on the weak knowledge of average users.

Different security counter-measures are being developed and applied to smartphones, from security in different layers of software to the dissemination of information to end users. There are good practices to be observed at all levels, from design to use, through the development of operating systems, software layers, and downloadable apps.

 

Challenges of Mobile Security

A smartphone user is exposed to various threats when he uses his phone. These threats can disrupt the operation of the smartphone, and transmit or modify the user data. For these reasons, the applications deployed there must guarantee privacy and integrity of the information they handle. In addition, since some apps could themselves be malware, their functionality and activities should be limited (for example, accessing location information via GPS, address book, transmitting data on the network, sending SMS that are charged, etc.).

There are three prime targets for attackers:

  • Data: smartphones are devices for data management, therefore they may contain sensitive data like credit card numbers, authentication information, private information, activity logs (calendar, call logs);
  • Identity: smartphones are highly customizable, so the device or its contents are associated with a specific person. For example, every mobile device can transmit information related to the owner of the mobile phone contract, and an attacker may want to steal the identity of the owner of a smartphone to commit other offenses;
  • Availability: by attacking a smartphone you can limit access to it and deprive the owner of the service


The source of these attacks are the same actors found in the non-mobile computing space:


  • Professionals, whether commercial or military, who focus on the three targets mentioned above. They steal sensitive data from the general public, as well as undertake industrial espionage. They will also use the identity of those attacked to achieve other attacks;
  • Thieves who want to gain income through data or identities they have stolen. The thieves will attack many people to increase their potential income;
  • Black hat hackers who specifically attack availability. Their goal is to develop viruses, and cause damage to the device. In some cases, hackers have an interest in stealing data on devices.
  • Grey hat hackers who reveal vulnerabilities. Their goal is to expose vulnerabilities of the device. Grey hat hackers do not intend on damaging the device or stealing data.

 

Consequences

When a smartphone is infected by an attacker, the attacker can attempt several things:

  • The attacker can manipulate the smartphone as a zombie machine, that is to say, a machine with which the attacker can communicate and send commands which will be used to send unsolicited messages (spam) via sms or email;
  • The attacker can easily force the smartphone to make phone calls. For example, you can use the API (library that contains the basic functions not present in the smartphone) PhoneMakeCall by Microsoft, which collects telephone numbers from any source such as yellow pages, and then call them. But the attacker can also use this method to call paid services, resulting in a charge to the owner of the smartphone. It is also very dangerous because the smartphone could call emergency services and thus disrupt those services;
  • A compromised smartphone can record conversations between the user and others and send them to a third party. This can cause user privacy and industrial security problems;
  • An attacker can also steal a user's identity, usurp their identity (with a copy of the sim, telephone, etc.), and thus impersonate the owner. This raises security concerns in countries where smartphones can be used to place orders, view bank accounts or are used as an identity card;
  • The attacker can reduce the utility of the smartphone, by discharging the battery. For example, he can launch an application that will run continuously on the smartphone processor, requiring a lot of energy and draining the battery. One factor that distinguishes mobile computing from traditional desktop PCs is their limited performance. Frank Stajano and Ross Anderson first described this form of attack, calling it an attack of "battery exhaustion" or "sleep deprivation torture";
  • The attacker can prevent the operation and/or starting of the smartphone by making it unusable. This attack can either delete the boot scripts, resulting in a phone without a functioning OS, or modify certain files to make it unusable (e.g. a script that launches at startup that forces the smartphone to restart) or even embed a startup application that would empty the battery;
  • The attacker can remove the personal (photos, music, videos, etc.) or professional data (contacts, calendars, notes) of the user.

 

Attacks based on communication

  1. Attack based on SMS & MMS
  2. Attacks based on the GSM networks
  3. Attacks based on Wi-Fi
  4. Principle of Bluetooth-based attacks

 

Attacks based on vulnerabilities in software applications

  1. Web Browser
  2. Operating System
  3. Physical Attacks

 

Preventing of Mobile Security

The security mechanisms in place to counter the threats described above are presented in this section. They are divided into different categories, as all do not act at the same level, and they range from the management of security by the operating system to the behavioral education of the user. The threats prevented by the various measures are not the same depending on the case. Considering the two cases mentioned above, in the first case one would protect the system from corruption by an application, and in the second case the installation of a suspicious software would be prevented.

Security in operating systems

The first layer of security within a smartphone is at the level of the operating system (OS). Beyond the usual roles of an operating system (e.g. resource management, scheduling processes), on a smartphone, it must also establish the protocols for introducing external applications and data without introducing risk.

A central idea found in the mobile operating systems is the idea of a sandbox. Since smartphones are currently being designed to accommodate many applications, they must put in place mechanisms to ensure these facilities are safe for themselves, for other applications and data on the system, and the user. If a malicious program manages to reach a device, it is necessary that the vulnerable area presented by the system be as small as possible. Sandboxing extends this idea to compartmentalize different processes, preventing them from interacting and damaging each other. Based on the history of operating systems, sandboxing has different implementations. For example, where iOS will focus on limiting access to its API for applications from the App Store, Android bases its sandboxing on its legacy of Linux.

The following points highlight mechanisms implemented in operating systems, especially Android.

  1. Rootkit Detectors
  2. Process Isolation
  3. File Permissions
  4. Memory Protection
  5. Development Through Runtime Environments


Security Software

Above the operating system security, there is a layer of security software. This layer is composed of individual components to strengthen various vulnerabilities: prevent malware, intrusions, the identification of a user as a human, and user authentication. It contains software components that have learned from their experience with computer security; however, on smartphones, this software must deal with greater constraints.

  1. Antivirus and Firewall
  2. Visual Notifications
  3. Turing Test
  4. Biometric Identification


Resource Monitoring in the smartphone

When an application passes the various security barriers, it can take the actions for which it was designed. When such actions are triggered, the activity of a malicious application can be sometimes detected if one monitors the various resources used on the phone. Depending on the goals of the malware, the consequences of infection are not always the same; all malicious applications are not intended to harm the devices on which they are deployed. The following sections describe different ways to detect suspicious activity.

  1. Battery
  2. Memory Usage
  3. Network Traffic
  4. Services


Network surveillance

Network traffic exchanged by phones can be monitored. One can place safeguards in network routing points in order to detect abnormal behavior. As the mobile's use of network protocols is much more constrained than that of a computer, expected network data streams can be predicted (e.g. the protocol for sending an SMS), which permits detection of anomalies in mobile networks.

  1. Spam Filters
  2. Encryption of Stored or Transmitted Information
  3. Telecom Network Monitoring

 

Manufacturer's surveillance

In the production and distribution chain for mobile devices, it is the responsibility of manufacturers to ensure that devices are delivered in a basic configuration without vulnerabilities. Most users are not experts and many of them are not aware of the existence of security vulnerabilities, so the device configuration as provided by manufacturers will be retained by many users. Below are listed several points which manufacturers should consider.

  1. Remove Debug Mode
  2. Default Settings
  3. Security Audit of Apps
  4. Detect Suspicious Applications Demanding Rights
  5. Revocation Procedures
  6. Avoid Heavily Customized Systems
  7. Improve Software Patch Processes

CORE Impact Professional

Logo Core ImpactCORE Impact Professional is the most comprehensive software solution for assessing and testing security vulnerabilities throughout your organization.

 
 

Read More...

IBM Security AppScan

Logo IBM Rational AppScanIBM Rational AppScan Enterprise is a scalable solution to help resolve application security vulnerabilities, offering recommendations to simplify remediation.

 

Read More...

HP WebInspect

Logo - HP WebInspectHP WebInspect gives security professionals and security novices alike the power and knowledge to quickly identify and validate critical, high-risk security vulnerabilities.

 

Read More...

Acunetix WVS

logo acunetix web application securityAcunetix Web Vulnerability Scanner (WVS) is an automated web application security testing tool that audits web applications by checking for hacking vulnerabilities. 

 

Read More...

w4rri0r - Hacking Is Not A Crime - It's an art of Awareness

\/ w4rri0r - Hacking Is Not A Crime - It's an art of Awareness \/ -  w4rri0r work in the dark, w4rri0r do what w4rri0r can, w4rri0r give what w4rri0r have, w4rri0r doubt is w4rri0r passion and w4rri0r passion is w4rri0r task. The rest is the madness of art \/ w4rri0r \/ 

\/ w4rri0r.com \/ are the great resource for information security professionals and researcher. \/ w4rri0r \/ offers a extensive variation of information security services that include SECURITY EXPLOITS (Bug or Vulnerability), SECURITY ADVISORIES (Security Alerts), SECURITY RESEARCHER TOOLBOX (Freeware, Shareware & Open-Source), SHELLCODE (Attacker Controller - Chunk of Data), SECURITY TRAINING (Educational Purpose), SECURITY NEWS (Security Recent or Important Events) and with this group you can be assured that you’re in the right hands. \/ w4rri0r gr0up \/  efforts being endorsed and appreciated by administrators, security researchers and members of various underground hacking groups and communities worldwide.

\/ w4rri0r mission \/ are to make the information systems more secure, more aware, more reliable and protect against possible security breaches.