- La aproximación de identificación de componentes que interactúan a la hora de reali- zar los ataques propuestos para el modelo de seguridad es apropiada, pero hay algu- nos elementos que no fueron tomados en cuenta por el mismo.
- El modelo de seguridad propuesto puede ser usado para identificar posibles proble- mas futuros con respecto a la Integridad, Confidencialidad y Disponibilidad en la pla- taforma.
- El modelo de seguridad propuesto sirve como base para la elaboración de nuevos componentes y nuevos mecanismos de seguridad que deben ser implementados en la plataforma para lograr mitigar las amenazas en los componentes que este identificó.
- La confrontación realizada entre el modelo de seguridad y las pruebas funcionales permite establecer el nivel de confianza que se puede tener del modelo de seguridad a
la hora de identificar componentes de la arquitectura que comprometen los principios de Integridad, Confidencialidad y Disponibilidad.
- El modelo de seguridad propuesto tuvo propuesto tuvo fallas en la identificación de componentes en algunos casos porque el comportamiento de los ataques puede variar dependiendo del modelo del dispositivo móvil en que se pruebe y la configuración que se tenga del dispositivo.
- Algunos de los ataques que se tuvieron en cuenta en la investigación, pueden reducir su impacto en el dispositivo del usuario, si se usa de manera “correcta” dicho disposi- tivo
- Los ataques escogidos para las pruebas fueron de gran ayuda pues comprometían los principios más importantes de la seguridad de la información y porque contemplaban aspectos que el modelo de seguridad no tomaba en cuenta
- Gracias a la investigación realizada en este Trabajo de Grado, se pudo determinar que la mayoría de ataques que se realizan a la plataforma Android, comprometen los tres principios más importantes de la seguridad de la información
- Se puedo comprobar que a nivel de la plataforma, Android posee muchas vulnerabi- lidades en cuanto a permisos y mecanismos de seguridad.
- Los mecanismos de seguridad propuestos por el modelo de seguridad deben ser pro- bados para determinar en qué porcentaje se mitigan los ataques a la plataforma
- Se pudo demostrar por medio de este modelo, que existe más de un principio de se- guridad comprometido por cada componente de la arquitectura de la plataforma An- droid 4.1.
Página 98
-
El modelo de seguridad propone recursos en cada componente para la mitigación de ataques que comprometan la Integridad, Confidencialidad y Disponibilidad de la in- formación a partir de mecanismos de seguridad existentes en la arquitectura y de otros mecanismos que no existen, pero que se sugieren como un cambio en el si- guiente versionamiento de la plataforma y que podrían ayudar a solucionar los pro- blemas de seguridad identificados por el modelo.-
Los resultados encontrados después de la elaboración de las listas de chequeo mues- tran que el modelo tiene una buena aproximación en cuanto a arquitectura pero que debe ser refinado para cumplir con los requisitos de arquitectura de Construx One.2. Recomendaciones
Los diferentes temas que existen para la línea de conocimiento de este Trabajo son muy ex- tensos y muy interesantes. Muchos de estos temas además son nuevos y generan un reto en el estudiante, puesto que la mayoría de la información y documentación no se encuentra en libros sino en Internet (congresos de seguridad, blogs, revistas, entre otros).
Recomiendo este tema de investigación a los estudiantes que vayan a realizar su Trabajo de Grado, puesto que la cantidad de información que se genera a partir de este tema es casi in- cremental. Los ataques a la seguridad de la información se incrementan a medida que la tec- nología cambia y cada día se genera conocimiento en este tema.
Recomiendo al departamento promover más la investigación en los estudiantes de la carrera y divulgar más información acerca de la carrera en la Universidad y afuera, para que así esta área del conocimiento siga incrementándose.
Recomiendo al departamento promover también los grupos de investigación que existen ac- tualmente en la carrera y que a partir de estos grupos surjan ideas de Trabajo de Grado para que los estudiantes no tengan que esperar hasta cursar Seminario de la Metodología de Inves- tigación para formular un tema valido de Trabajo de Grado.
Recomiendo a la Universidad promover la carrera de Ingeniería de Sistemas a nivel de ciudad y a nivel de país en sus diferentes sedes.
3. Trabajos Futuros
La elaboración de componentes adicionales que se puedan integrar a la arquitectura del mo- delo de seguridad propuesto y que mitiguen los ataques encontrados en la investigación. Desarrollos de software teniendo como base el modelo de seguridad para mejorar el modelo de permisos de Android y evitar que las amenaces encontradas se presenten en los dispositi- vos.
Manuales para el desarrollo de aplicaciones en Android teniendo en cuenta los principios de seguridad identificados en el modelo y los componentes que interactúan cuando se compro- meten esos principios.
Desarrollo de nuevas políticas de seguridad que se puedan implementar en las versiones futu- ras de la plataforma Android y que disminuyan las amenazas en los dispositivos móviles.
Página 100
VI - REFERENCIAS Y BIBLIOGRAFÍA
1. Referencias
[1] H. McCracken, “Who’s Winning, iOS or Android? All the Numbers, All in One Place,” Time.
[2] “Android outscores iOS in U.S. smartphone sales, says report | Mobile - CNET News.” [Online]. Available: http://news.cnet.com/8301-1035_3-57577431-94/android- outscores-ios-in-u.s-smartphone-sales-says-report/. [Accessed: 26-Apr-2013].
[3] N. Hari and B. Prasad, “Android architecture.” [Online]. Available: http://www.slideshare.net/kittu565/android-architecture. [Accessed: 13-May-2013]. [4] M. Whitman and H. Mattord, Principles of Information Security, 4th ed. Course Tech-
nology, 2011.
[5] “Lookout Mobile Security.” [Online]. Available: https://www.lookout.com/resources/reports/state-of-mobile-security-2012. [Accessed: 03-Feb-2013].
[6] “Mision Pontificia Universidad Javeriana.” [Online]. Available: http://puj- portal.javeriana.edu.co/portal/page/portal/PORTAL_VERSION_2009_2010/es_mision. [Accessed: 18-Nov-2012].
[7] “How to set and write SMART objectives.” [Online]. Available: http://www.hr.ecu.edu.au/mps/html/mps-smart.cfm. [Accessed: 18-Nov-2012].
[8] “Welcome to UNC Computer Science — Department of Computer Science.” [Online]. Available: http://www.cs.unc.edu/. [Accessed: 28-Apr-2013].
[9] “IT Security Threats | Symantec.” [Online]. Available: http://www.symantec.com/security_response/. [Accessed: 28-Apr-2013].
[10] “Virus Bulletin : Independent Malware Advice.” [Online]. Available: http://www.virusbtn.com/index. [Accessed: 28-Apr-2013].
[11] “Android Developers Blog.” [Online]. Available: http://android- developers.blogspot.com/. [Accessed: 28-Apr-2013].
[12] “blog.trendmicro.es - El blog de seguridad de Trend Microblog.trendmicro.es | El blog de seguridad de Trend Micro.” [Online]. Available: http://blog.trendmicro.es/. [Ac- cessed: 27-Apr-2013].
[13] “Android Developers.” [Online]. Available: http://developer.android.com/index.html. [Accessed: 28-Apr-2013].
[14] “OWASP.” [Online]. Available: https://www.owasp.org/index.php/Main_Page. [Ac- cessed: 28-Apr-2013].
[15] “Internet Engineering Task Force (IETF).” [Online]. Available: http://www.ietf.org/. [Accessed: 28-Apr-2013].
[16] “Zotero | Home.” [Online]. Available: http://www.zotero.org/. [Accessed: 19-Nov- 2012].
[17] “Navegador web Firefox en español de España | Más rápido, más seguro y más persona- lizable.” [Online]. Available: http://www.mozilla.org/es-ES/firefox/new/. [Accessed: 23-Sep-2012].
[18] S. M. Bonilla and J. A. Gonzalez, “MODELO DE SEGURIDAD DE LA INFORMACION,” vol. 3, pp. 6–14, Jan. 2012.
[19] “UML tools for software development and modelling - Enterprise Architect UML mod- eling tool.” [Online]. Available: http://www.sparxsystems.com.au/. [Accessed: 21-Feb- 2013].
[20] B. Bruegge and A. Dutoit, Ingenieria de Software Orientado a Objetos. PrenticeHall, 2002.
[21] “Android Assistant(18 features) - Aplicaciones de Android en Google Play.” [Online]. Available:
https://play.google.com/store/apps/details?id=com.advancedprocessmanager&hl=es. [Accessed: 08-Apr-2013].
[22] “Downloads - dex2jar - Tools to work with android .dex and java .class files - Google
Project Hosting.” [Online]. Available:
https://code.google.com/p/dex2jar/downloads/list. [Accessed: 08-Apr-2013].
[23] “JD-GUI | Java Decompiler.” [Online]. Available: http://java.decompiler.free.fr/?q=jdgui. [Accessed: 08-Apr-2013].
[24] “WinZip - La utilidad de compresión para Windows - Comprime y descomprime archi- vos.” [Online]. Available: http://www.winzip.com/win/es/index.htm. [Accessed: 08- Apr-2013].
[25] “Construx checklist for Architecture.” Construx SOFTWARE.
[26] “Modelo de seguridad.” [Online]. Available: https://www.ccn- cert.cni.es/publico/serieCCN-STIC401/es/m/security_model.htm. [Accessed: 17-Nov- 2012].
[27] “ESET Latinoamérica – Laboratorio » Blog Archive » Cómo implementar modelos de seguridad de la información.” [Online]. Available: http://blogs.eset-
Página 102 la.com/laboratorio/2012/08/22/como-implementar-modelos-seguridad-informacion/. [Accessed: 28-Nov-2012].
[28] L. Lapadula, “Secure Computer Systems: Mathematical Foundations.” 1996.
[29] “Bell LaPadula Model.” [Online]. Available: http://www.cs.unc.edu/~dewan/242/f96/notes/prot/node13.html. [Accessed: 20-Nov-
2012].
[30] N. Balon and I. Thabet, “The Biba Security Model.” 2004.
[31] “Bell-La Padula, Biba and Clark-Wilson Security Models « commondork.” [Online]. Available: http://www.commondork.com/2010/05/16/bell-la-padula-biba-and-clark- wilson-security-models/. [Accessed: 28-Nov-2012].
[32] “The Chinese Wall security policy.” [Online]. Available: http://www.gammassl.co.uk/topics/chinesewall.html. [Accessed: 28-Nov-2012].
[33] “NCSC-TG-003 A GUIDE TO UNDERSTANDING DISCRETIONARY ACCESS CONTROL IN TRUSTED SYSTEMS 30 September 1987.” [Online]. Available: https://www.fas.org/irp/nsa/rainbow/tg003.htm. [Accessed: 18-Jun-2013].
[34] R. Sandhu, E. Coyne, H. Feinstein, and C. Youman, “Role-Based Access Control Mod- els.” IEEE Computer, 1996.
[35] D. F. Ferraiolo, R. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramouli, “Proposed NIST standard for role-based access control,” Acm Trans Inf Syst Secur, vol. 4, no. 3, pp. 224–274, Aug. 2001.
[36] M. Nauman, S. Khan, and X. Zhang, “Apex: extending Android permission model and enforcement with user-defined runtime constraints,” in Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, New York, NY, USA, 2010, pp. 328–332.
[37] W. Enck, M. Ongtang, and P. McDaniel, “Understanding Android Security,” Ieee Se- cur. Priv., vol. 7, no. 1, pp. 50 –57, Feb. 2009.
[38] A. Shabtai, U. Kanonov, Y. Elovici, C. Glezer, and Y. Weiss, “‘Andromaly’: a behav- ioral malware detection framework for android devices,” J Intell Inf Syst, vol. 38, no. 1, pp. 161–190, Feb. 2012.
[39] “Android Under Siege: Popularity Comes at a Price.” TREND MICRO, 2012.
[40] Y. Zhou, Z. Wang, W. Zhou, and X. Jiang, “Hey, You, Get Off of My Market: Detect- ing Malicious Apps in Official and Alternative Android Markets.” North Carolina State University, 2012.
[41] A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner, “A Survey of Mobile Mal- ware in the Wild.” University of California, Berkeley, 2011.
[42] “WhatsApp :: Home,” WhatsApp.com. [Online]. Available: http://www.whatsapp.com/?l=es. [Accessed: 18-Nov-2012].
[43] “Update: RuFraud: European Premium SMS Toll Fraud on the Rise | The Official
Lookout Blog.” [Online]. Available: https://blog.lookout.com/blog/2011/12/11/european-premium-sms-fraud/. [Accessed:
18-Nov-2012].
[44] “What is piggybacking? - Definition from WhatIs.com.” [Online]. Available: http://whatis.techtarget.com/definition/piggybacking. [Accessed: 18-Nov-2012].
[45] “State of Mobile Security 2012.” [Online]. Available: https://www.lookout.com/resources/reports/state-of-mobile-security-2012. [Accessed: 19-Nov-2012].
[46] “Walk and Text-Transparent - Aplicaciones de Android en Google Play.” [Online]. Available:
https://play.google.com/store/apps/details?id=com.incorporateapps.walktext&hl=es. [Accessed: 15-Nov-2012].
[47] “Android.Walkinwat | Symantec.” [Online]. Available: http://www.symantec.com/security_response/writeup.jsp?docid=2011-033008-4831-99.
[Accessed: 15-Nov-2012].
[48] “Walk and Text, otra aplicación Android con versión troyana.” [Online]. Available: http://www.idg.es/pcworldtech/mostrarNoticia.asp?id=108190&seccion=actualidad. [Accessed: 17-Nov-2012].
[49] “Android.Adwlauncher Technical Details | Symantec.” [Online]. Available: http://www.symantec.com/security_response/writeup.jsp?docid=2012-082308-1823- 99&tabid=2. [Accessed: 18-Nov-2012].
[50] “iOS: A visual history,” The Verge. [Online]. Available: http://www.theverge.com/2011/12/13/2612736/ios-history-iphone-ipad. [Accessed: 07- Apr-2013].
[51] Z. Xu, K. Bai, and S. Zhu, “TapLogger: inferring user inputs on smartphone touchscreens using on-board motion sensors,” in Proceedings of the fifth ACM confer- ence on Security and Privacy in Wireless and Mobile Networks, New York, NY, USA, 2012, pp. 113–124.
[52] “Kaspersky Lab US | Antivirus & Internet Security Protection Software.” [Online]. Available: http://usa.kaspersky.com/. [Accessed: 07-Apr-2013].
Página 104 [53] “Security Alert: CleanedOut | The Official Lookout Blog.” [Online]. Available:
https://blog.lookout.com/blog/2013/02/07/security-alert-cleanedout/. [Accessed: 05- Apr-2013].
[54] L. Cai and H. Chen, “TouchLogger: Inferring Keystrokes On Touch Screen From Smartphone Motion.” University of California.
[55] “Security Alert: HongTouTou, New Android Trojan, Found in China | The Official Lookout Blog.” [Online]. Available: https://blog.lookout.com/blog/2011/02/15/security- alert-hongtoutou-new-android-trojan-found-in-china/. [Accessed: 05-Apr-2013]. [56] “Security Alert: Geinimi, Sophisticated New Android Trojan Found in Wild | The Offi-
cial Lookout Blog.” [Online]. Available: https://blog.lookout.com/blog/2010/12/29/geinimi_trojan/. [Accessed: 20-Mar-2013].
[57] K. Zhang, X. Zhou, M. Intwala, A. Kapadia, and X. Wang, “Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones.” Indiana University Bloomington, 2011.
[58] S. Bugiel, L. Davi, A. Dmitrienko, and T. Fischer, “Towards Taming Privilege- Escalation Attacks on Android.” Fraunhofer SIT, Darmstadt, Germany, 2012.
[59] C. Marforio, H. Ritzdorf, A. Francillon, and S. Capkun, “Analysis of the Communica- tion between Colluding Applications on Modern Smartphones.” 2012.
[60] “DroidDream Becomes Android Market Nightmare | PCWorld.” [Online]. Available: http://www.pcworld.com/article/221247/droiddream_becomes_android_market_nightm are.html. [Accessed: 22-Mar-2013].
[61] “Droid Dream Light: un nuevo virus infecta 25 ‘apps’ de Android | Navegante | elmun-
do.es.”[Online]. Available: http://www.elmundo.es/elmundo/2011/06/01/navegante/1306923142.html. [Accessed:
22-Mar-2013].
[62] “Sibling Rivalry: The Ackposts Family. | The Official Lookout Blog.” [Online]. Avail- able: https://blog.lookout.com/blog/2013/04/10/sibling-rivalry-the-ackposts-family/. [Accessed: 08-Apr-2013].
[63] “UPDATE: Security Alert: Android Trojan GGTracker Charges Premium Rate SMS Messages | The Official Lookout Blog.” [Online]. Available: https://blog.lookout.com/blog/2011/06/20/security-alert-android-trojan-ggtracker-
charges-victims-premium-rate-sms-messages/. [Accessed: 18-Nov-2012].
[64] “Aplicaciones de Android en Google Play.” [Online]. Available: https://play.google.com/store. [Accessed: 18-Nov-2012].
[65] “Android.Stels | Symantec.” [Online]. Available: http://www.symantec.com/security_response/writeup.jsp?docid=2013-032910-0254-99.
[Accessed: 06-Apr-2013].
[66] “Adobe - Instalación de Adobe Flash Player.” [Online]. Available: http://get.adobe.com/es/flashplayer/. [Accessed: 06-Apr-2013].
[67] “ZertSecurity | The Official Lookout Blog.” [Online]. Available: https://blog.lookout.com/blog/2013/05/06/zertsecurity/. [Accessed: 08-Apr-2013].
[68] “Postbank: Willkommen auf der Startseite. Kostenloses Girokonto, günstiger Kredit, Angebote für Sparen und Anlegen - und vieles mehr!” [Online]. Available: https://www.postbank.de/. [Accessed: 08-Apr-2013].
[69] “Mission Statement of the WUC » World Uyghur Congress,” World Uyghur Congress - . [Online]. Available: http://www.uyghurcongress.org/en/?cat=150. [Accessed: 08-Apr- 2013].
[70] “To Tibet, with Love | The Official Lookout Blog.” [Online]. Available: https://blog.lookout.com/blog/2013/03/28/to-tibet-with-love/. [Accessed: 08-Apr-2013]. [71] M. C. Grace, W. Zhou, X. Jiang, and A.-R. Sadeghi, “Unsafe exposure analysis of mo-
bile in-app advertisements,” in Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks, New York, NY, USA, 2012, pp. 101– 112.
[72] “The Bearer of BadNews | The Official Lookout Blog.” [Online]. Available: https://blog.lookout.com/blog/2013/04/19/the-bearer-of-badnews-malware-google- play/. [Accessed: 08-Apr-2013].
[73] “92598: Live Wallpaper - Savannah for Android (live.photo.savanna) Trojaned Distri- bution.” [Online]. Available: http://www.osvdb.org/show/osvdb/92598. [Accessed: 27- Apr-2013].
[74] “need for speed free - Google Play.” [Online]. Available: https://play.google.com/store/search?q=need+for+speed+free&c=apps. [Accessed: 08- Apr-2013].
[75] “Angry Birds Space - Aplicaciones Android en Google Play.” [Online]. Available: https://play.google.com/store/apps/details?id=com.rovio.angrybirdsspace.ads&feature= search_result#?t=W251bGwsMSwxLDEsImNvbS5yb3Zpby5hbmdyeWJpcmRzc3BhY 2UuYWRzIl0. [Accessed: 08-Apr-2013].
[76] “Security Alert: SpamSoldier | The Official Lookout Blog.” [Online]. Available: https://blog.lookout.com/blog/2012/12/17/security-alert-spamsoldier/. [Accessed: 08- Apr-2013].
Página 106
[77] “What is ASLR?” [Online]. Available: http://netsecurity.about.com/od/quicktips/qt/whatisaslr.htm. [Accessed: 09-Mar-2013].
[78] “X.Org Wiki - ProPolice.” [Online]. Available: http://www.x.org/wiki/ProPolice. [Ac- cessed: 09-Mar-2013].
[79] “README - safe-iop - safe_iop - a safe integer operation library for C - Safe Integer Operation Library for C - Google Project Hosting.” [Online]. Available: https://code.google.com/p/safe-iop/wiki/README. [Accessed: 09-Mar-2013].
[80] “Take a closer look at OpenBSD.” [Online]. Available: http://www.ibm.com/developerworks/aix/library/au-openbsd.html. [Accessed: 10-Mar- 2013].
[81] “mmap_min_addr - Debian Wiki.” [Online]. Available:
http://wiki.debian.org/mmap_min_addr. [Accessed: 10-Mar-2013].
[82] “Android Security Overview | Android Open Source.” [Online]. Available: http://source.android.com/tech/security/index.html. [Accessed: 18-Feb-2013].
[83] “How To Boot Into Android Safe Mode On Your Smartphone / Tablet | Redmond Pie.” [Online]. Available: http://www.redmondpie.com/how-to-boot-into-android-safe-mode- on-your-smartphone-tablet/. [Accessed: 12-Mar-2013].
[84] “Use Android’s ‘Safe Mode’ to Disable Apps and Troubleshoot Problems.”[Online]. Available: http://lifehacker.com/5965022/how-to-reboot-your-android-phone-or-tablet- into-safe-mode. [Accessed: 12-Mar-2013].
[85] D. Osvik, A. Shamir, and E. Tromer, “Cache Attacks and Countermeasures: the Case of AES.” Weizmann Institute of Science and Applied Mathematics, 20-Nov-2005.
[86] D. Boneh, “Twenty years of attacks on the RSA cryptosystem.” 1998. [87] D. Pointcheval, “How to Encrypt Properly with RSA.” 2002.
[88] “FIPS 186 - (DSS), Digital Signature Standard.” [Online]. Available: http://www.itl.nist.gov/fipspubs/fip186.htm. [Accessed: 12-Mar-2013].
[89] “Digest::SHA - search.cpan.org.” [Online]. Available:
http://search.cpan.org/~mshelor/Digest-SHA-5.62/lib/Digest/SHA.pm. [Accessed: 13- Mar-2013].
[90] “Unix crypt with SHA-256/512.” [Online]. Available:
http://www.akkadia.org/drepper/sha-crypt.html. [Accessed: 13-Mar-2013].
[91] “RFC 5246 - The Transport Layer Security (TLS) Protocol Version 1.2.” [Online]. Available: https://tools.ietf.org/html/rfc5246. [Accessed: 13-Mar-2013].
[92] “HTTPS Security Improvements in Internet Explorer 7.” [Online]. Available: http://msdn.microsoft.com/en-us/library/bb250503.aspx. [Accessed: 13-Mar-2013]. [93] “RFC 2818 - HTTP Over TLS.” [Online]. Available: http://tools.ietf.org/html/rfc2818.
[Accessed: 13-Mar-2013].
[94] “KeyChain | Android Developers.” [Online]. Available: http://developer.android.com/reference/android/security/KeyChain.html. [Accessed: 13- Mar-2013].
[95] “CWE - CWE-415: Double Free (2.4).” [Online]. Available: http://cwe.mitre.org/data/definitions/415.html. [Accessed: 13-Mar-2013].
[96] “Double Free - OWASP.” [Online]. Available:
https://www.owasp.org/index.php/Double_Free. [Accessed: 13-Mar-2013].
[97] “Using freed memory - OWASP.” [Online]. Available:
https://www.owasp.org/index.php/Using_freed_memory. [Accessed: 15-Mar-2013]. [98] “13.5 Heap Overflows :: Chapter 13. Application-Level Risks :: Network security as-
sessment :: Networking :: eTutorials.org.” [Online]. Available: http://etutorials.org/Networking/network+security+assessment/Chapter+13.+Applicatio n-Level+Risks/13.5+Heap+Overflows/. [Accessed: 15-Mar-2013].
[99] “CWE - CWE-134: Uncontrolled Format String (2.4).” [Online]. Available: http://cwe.mitre.org/data/definitions/134.html. [Accessed: 15-Mar-2013].
[100] “Gentoo Linux Documentation -- Position Independent Code internals.” [Online]. Available: http://www.gentoo.org/proj/en/hardened/pic-internals.xml. [Accessed: 15- Mar-2013].
[101] “2.6. Position Independent Executables.” [Online]. Available: http://linuxfromscratch.xtra-net.org/hlfs/view/unstable/glibc-2.4/chapter02/pie.html.
[Accessed: 15-Mar-2013].
[102] “Enabling the kernel’s DMESG_RESTRICT feature.” [Online]. Available: https://lists.ubuntu.com/archives/ubuntu-devel/2011-May/033240.html. [Accessed: 16- Mar-2013].
[103] “FORTIFY_SOURCE Semantics | NYU Poly ISIS Lab.” [Online]. Available: https://isisblogs.poly.edu/2011/04/11/fortify_source-semantics/. [Accessed: 15-Mar- 2013].
[104] “Brute force attack - OWASP.” [Online]. Available:
Página 108 [105] “Testing for Brute Force (OWASP-AT-004) - OWASP.” [Online]. Available:
https://www.owasp.org/index.php/Testing_for_Brute_Force_(OWASP-AT-004). [Ac- cessed: 16-Mar-2013].
[106] “RFC 6070 - PKCS #5: Password-Based Key Derivation Function 2 (PBKDF2) Test Vectors.” [Online]. Available: http://tools.ietf.org/html/rfc6070. [Accessed: 16-Mar- 2013].
[107] “Using password systems - OWASP.” [Online]. Available:
https://www.owasp.org/index.php/Using_password_systems. [Accessed: 16-Mar-2013]. [108] “Virtual Private Networking: An Overview.” [Online]. Available:
http://technet.microsoft.com/en-us/library/bb742566.aspx. [Accessed: 18-Mar-2013]. [109] “VPN Technologies: Definitions and Requirements.” [Online]. Available:
http://www.vpnc.org/vpn-technologies.html. [Accessed: 19-Mar-2013].
[110] “RFC 2637 - Point-to-Point Tunneling Protocol (PPTP).” [Online]. Available: http://tools.ietf.org/html/rfc2637. [Accessed: 19-Mar-2013].
[111] “RFC 2661 - Layer Two Tunneling Protocol ‘L2TP’.”[Online]. Available: http://tools.ietf.org/html/rfc2661. [Accessed: 19-Mar-2013].
[112] “VpnService | Android Developers.” [Online]. Available: http://developer.android.com/reference/android/net/VpnService.html. [Accessed: 17- Mar-2013].
[113] “SMS Tutorial: Introduction to AT Commands, Basic Commands and Extended Com-
mands.” [Online]. Available: http://www.developershome.com/sms/atCommandsIntro.asp. [Accessed: 18-Mar-2013].
[114] “Android - Radio Layer Interface.” [Online]. Available:
http://www.netmite.com/android/mydroid/development/pdk/docs/telephony.html. [Ac- cessed: 18-Mar-2013].
[115] “Company – Google.” [Online]. Available: http://www.google.com/about/company/. [Accessed: 18-Mar-2013].
[116] W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth, “TaintDroid,” 2010. [Online]. Available: http://dl.acm.org/citation.cfm?id=1924971. [Accessed: 21-Mar-2013].
[117] P. Hornyack, S. Han, J. Jung, S. Schechter, and D. Wetherall, “These aren’t the droids
you’re looking for,” 2011. [Online]. Available: http://dl.acm.org/citation.cfm?id=2046780. [Accessed: 22-Mar-2013].
[118] M. Conti, V. T. N. Nguyen, and B. Crispo, “CRePE,” 2010. [Online]. Available: http://dl.acm.org/citation.cfm?id=1949355. [Accessed: 22-Mar-2013].
[119] R. Xu, H. Saidi, and R. Anderson, “Aurasium,” 2012. [Online]. Available: http://dl.acm.org/citation.cfm?id=2362793.2362820. [Accessed: 22-Mar-2013].
[120] M. Backes, S. Gerling, C. Hammer, M. Maffei, and P. von Styp-Rekowsky, “AppGuard — Real-time policy enforcement for third-party applications.” 2012.
[121] “SEforAndroid - SELinux Wiki.” [Online]. Available:
http://selinuxproject.org/page/SEAndroid. [Accessed: 22-Mar-2013].
[122] T. Harada, T. Horie, and K. Tanaka, “Task Oriented Management Obviates Your Onus on Linux.” 2004.
[123] S. Smalley and R. Craig, “Security Enhanced (SE) Android: Bringing Flexible MAC to Android.” 2013.
[124] L. Davi, A. Dmitrienko, A.-R. Sadeghi, and M. Winandy, “Privilege escalation attacks on android,” in Proceedings of the 13th international conference on Information securi- ty, Berlin, Heidelberg, 2011, pp. 346–360.
[125] M. Ongtang, S. McLaughlin, W. Enck, and P. McDaniel, “Semantically Rich Applica- tion-Centric Security in Android,” 2009. [Online]. Available: http://dl.acm.org/citation.cfm?id=1723245. [Accessed: 22-Mar-2013].
[126] Y. Zhou, X. Zhang, X. Jiang, and V. W. Freeh, “Taming information-stealing smartphone applications (on Android),” in Proceedings of the 4th international confer- ence on Trust and trustworthy computing, Berlin, Heidelberg, 2011, pp. 93–107.
[127] R. Gonzalez and A. Pomares, “LA INVESTIGACIÓN CIENTÍFICA BASADA EN EL DISEÑO COMO EJE DE PROYECTOS DE INVESTIGACIÓN EN INGENIERÍA.” Pontificia Universidad Javeriana - Bogotá, Colombia, 2012.
[128] “What is ‘Information Security’.”[Online]. Available: http://security.practitioner.com/introduction/infosec_2.htm. [Accessed: 18-Mar-2013].
[129] D. Knuth, Sorting and Searching, Second., vol. 3. Massachusetts: Addison-Wesley, 1998.
[130] G. Stoneburner, C. Hayden, and A. Feringa, “Engineering Principles for Information Technology Security (A Baseline for Achieving Security), Revision A,” Natl. Inst. Stand. Technol. Nist, no. COMPUTER SECURITY, p. 33, Jun. 2004.
[131] “Descripción del cifrado simétrico y asimétrico.” [Online]. Available: http://support.microsoft.com/kb/246071/es. [Accessed: 18-Nov-2012].
Página 110 [132] “Managing Authorization and Access Control.” [Online]. Available:
http://technet.microsoft.com/en-us/library/bb457115.aspx. [Accessed: 18-Nov-2012]. [133] “SolutionBase: Strengthen network defenses by using a DMZ | TechRepublic.”
[Online]. Available: http://www.techrepublic.com/article/solutionbase-strengthen- network-defenses-by-using-a-dmz/5756029. [Accessed: 18-Nov-2012].
[134] C. Fernandez, Seguridad en Sistemas Informáticos. España: Ediciones Diaz de Santos S.A, 1988.
[135] P. Holbrook and J. Reynolds, RFC 1244: Site Secutiry Handbook. ISI Editors, 1991. [136] C. Borghello, “Seguridad Informática: sus implicancias e implementación.” Univer-
sidad Tecnológica Nacional. Argentina, 2001.
[137] S. Bugiel, S. Heuser, and A.-R. Sadeghi, “Towards a Framework for Android Security Modules : Extending SE Android Type Enforcement to Android Middleware.” Intel Collaborative Research Institute for Secure Computing, 2012.
[138] E. Walsh, “Application of the flask architecture to the x window system server.” Na- tional Security Agency, 2007.
[139] J. Carter, “Using gconf as an example of how to create an userspace object manager.” National Security Agency, 2007.
[140] “sepgsql - Security Enhanced PostgreSQL - Google Project Hosting.” [Online]. Availa- ble: https://code.google.com/p/sepgsql/. [Accessed: 03-Apr-2013].
[141] “NB SEforAndroid 1 - SELinux Wiki.” [Online]. Available: http://selinuxproject.org/page/NB_SEforAndroid_1. [Accessed: 03-Apr-2013].
[142] S. Smalley, “The case for SE Android.” National Security Agency. [143] D. Ehringer, “The dalvik virtual machine architecture.” Mar-2010.
[144] “Android Zygote Startup - eLinux.org.” [Online]. Available: http://elinux.org/Android_Zygote_Startup. [Accessed: 03-Apr-2013].
[145] “Device Administration | Android Developers.” [Online]. Available: http://developer.android.com/guide/topics/admin/device-admin.html. [Accessed: 03- Apr-2013].
[146] “Android Device Policy Administration Tutorial - Marakana.” [Online]. Available: http://marakana.com/s/post/1291/android_device_policy_administration_tutorial. [Ac- cessed: 03-Apr-2013].
[147] “Essentials of the Java Programming Language, Part 1.” [Online]. Available: http://www.oracle.com/technetwork/java/index-138747.html. [Accessed: 12-Mar- 2013].
[148] “Application Fundamentals | Android Developers.” [Online]. Available: http://developer.android.com/guide/components/fundamentals.html. [Accessed: 12- Mar-2013].
[149] “Surface Manager | Blog Silex Technologies.” [Online]. Available: http://silextech.wordpress.com/tag/surface-manager/. [Accessed: 05-Mar-2013].
[150] “android/platform_external_opencore · GitHub.” [Online]. Available: https://github.com/android/platform_external_opencore. [Accessed: 02-Mar-2013].
[151] “OpenGL ES 1_X - The Standard for Embedded Accelerated 3D Graphics.” [Online]. Available: http://www.khronos.org/opengles/1_X/. [Accessed: 02-Mar-2013].
[152] “Camera | Android Developers.” [Online]. Available: http://developer.android.com/reference/android/hardware/Camera.html. [Accessed: 06- Mar-2013].
[153] “android.bluetooth | Android Developers.” [Online]. Available: http://developer.android.com/reference/android/bluetooth/package-summary.html. [Ac- cessed: 06-Mar-2013].
[154] “RFCOMM Layer Tutorial.” [Online]. Available: http://www.palowireless.com/infotooth/tutorial/rfcomm.asp. [Accessed: 06-Mar-2013].
[155] J. Huang, “Android IPC Mechanism.” [Online]. Available: http://www.slideshare.net/jserv/android-ipc-mechanism. [Accessed: 12-Mar-2013].
[156] “OpenBinder.” [Online]. Available: http://www.angryredplanet.com/~hackbod/openbinder/docs/html/. [Accessed: 03-Mar-
2013].
[157] “android.hardware.usb | Android Developers.” [Online]. Available: http://developer.android.com/reference/android/hardware/usb/package-summary.html. [Accessed: 07-Mar-2013].
[158] “USB Host and Accessory | Android Developers.” [Online]. Available: http://developer.android.com/guide/topics/connectivity/usb/index.html. [Accessed: 06- Mar-2013].
[159] “Mobile Phone Termonologies.” [Online]. Available: http://www.bakwaash.com/2011/07/05/mobile-phone-termonologies/. [Accessed: 07- Mar-2013].
Página 112 [160] “Why QWERTY was Invented.” [Online]. Available:
http://home.earthlink.net/~dcrehr/whyqwert.html. [Accessed: 08-Mar-2013].
[161] “Keyboard Devices | Android Open Source.” [Online]. Available: http://source.android.com/tech/input/keyboard-devices.html. [Accessed: 08-Mar-2013]. [162] “android.net.wifi | Android Developers.” [Online]. Available:
http://developer.android.com/reference/android/net/wifi/package-summary.html. [Ac- cessed: 08-Mar-2013].
[163] “android.media | Android Developers.” [Online]. Available: http://developer.android.com/reference/android/media/package-summary.html. [Ac- cessed: 09-Mar-2013].
[164] “PowerManager | Android Developers.” [Online]. Available: http://developer.android.com/reference/android/os/PowerManager.html. [Accessed: 08-