Orientación Pedagógica Basada en Problemas

Göran Pulkkis

Arcada Polytechnic, Finland

Kaj J. Grahn

Arcada Polytechnic, Finland

Jonny Karlsson

Arcada Polytechnic, Finland

Nhat Dai Tran

Arcada Polytechnic, Finland

Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.

AbstrAct

Security issues of Symbian-based mobile computing devices such as PDAs and smart phones are sur- veyed. The evolution of Symbian OS architecture is outlined. Security threats and problems in mobile computing are analyzed. Theft/loss of the mobile device or removable memory cards exposes stored sensitive information. Wireless connection vulnerabilities are exploited for unauthorized access to mo- bile devices, to network, and to network service. Malicious software attacks in form of Trojan horses, viruses, and worms are also becoming more common The Symbian OS is open for external software and content which makes Symbian devices vulnerable for hostile applications. Embedded security features in Symbian OS are: a cryptographic software module, verification procedures for PKI signed software

installation files, and support for the communication security protocols IPSec and TLS. The newest

version 9.3 of Symbian also embeds a platform security structure with layered trusted computing, pro-

tection capabilities for installed software, and data caging for integrity and confidentiality of private

data. Fundamental security requirements of a Symbian based mobile device such as physical protection, device access control, storage protection, network access control, network service access control, and

Security of Symbian Based Mobile Devices

intrOductiOn

Users of the Internet have become increasingly more mobile. At the same time, mobile users want to access Internet wireless services demanding the same quality as over a wire. Emerging new protocols and standards, and the availability of WLANs, cellular data and satellite systems are making the convergence of wired and wireless Internet possible. Lack of standards is however still the biggest obstacle to further development. Mobile devices are generally more resource constrained due to size, power and memory. The portability making these devices attractive greatly increases the risk of exposing data or allowing network penetration.

Mobile handheld devices can be connected to a number of different kinds of networks. Such wire- less networks are cellular networks, personal area networks (PANs), local area networks (LANs), metropolitan area networks (MANs) and wide area networks (Satellite-based WANs). Network services needed for transferring data to and from a mobile device include among others e-com- merce, electronic payments, WAP and HTTP services. The network connection of a mobile device can be based on a dial-up connection through a cellular network (GSM, UMTS), be based on packet communication through a cellular network (GPRS), be a WLAN or a Bluetooth con- nection, or be an infrared link (IrDA). Network connection examples are e-mailing (pop3, pop3s, imap, imaps, smtp, smtps), web browsing (http, https), synchronization with a desktop compu- ter (HotSync, ActiveSync, SyncML), network

monitoring/management (snmp), reception of video/audio streams, and communication of any installed application.

Realization of data services over mobile devices offers interesting new features for the user, but also a threat to security. A mobile de- vice optimized for data services requires that the terminal becomes an open platform for software applications, i.e. the mobile device becomes more vulnerable to attacks. Mobile computing also requires operating systems supporting mobile environments. Such a widely used operating system is Symbian OS.

Symbian is a common operating system for mobile communication devices. The most important requirements are multitasking/thread- ing, real-time operation of the cellular software, effective power management, small size of the operation system itself, ease of developing new features, reusability, modularity, connectivity and robustness (DIGIA Inc., 2003). The world’s top mobile phone manufacturers with the largest market share have chosen Symbian. According to many analysts, the major part of operation systems for mobile communication devices of the future will rely on Symbian or on Windows.

In this chapter, security issues of Symbian based mobile devices are surveyed.

bAckgrOund

Mobile computing device types are pocket PC, also called personal digital assistant (PDA), and smart phone. Symbian is the leading operating

network connection security are described in detail. Symbian security is also evaluated by discussing its weaknesses and by comparing it to other mobile operating systems. Current availability of add-on security software for Symbian based mobile devices is outlined in an appendix. In another appendix, measurement results on how add-on security software degrades network communication performance of a Symbian based mobile device are presented and analyzed as a case study.

Security of Symbian Based Mobile Devices

system for smart phones currently available on the market. Symbian was founded as a private independent company in June 1998 by Ericsson, Matsushita, Motorola, Nokia and Psion. Currently, Symbian is owned by BenQ, Ericsson, Panasonic, Nokia, Siemens AG, and Sony Ericsson. There are both open and closed platforms based on Symbian OS. Examples of open platforms are the Nokia platforms UIQ, Series 60, Series 80, and Series 90 and examples of closed platforms are the platforms developed for NTT DoCoMo’s FOMA handsets. The most recent version of Symbian OS is Symbian OS v9.3. (Symbian OS Version 9.3, 2006)

During recent years, security has become a very important issue when Symbian OS platforms and applications are developed and designed. The security threats related to data stored in the devices, network communication, and software installation have increased in parallel with the evolution of the Symbian device platforms and the increasing use of Symbian devices. Symbian devices are becoming more commonly used also by corporate employees for storing confidential data. Such data are easily physically accessed if the device is lost or stolen. Confidential data sent to and from Symbian devices over various wire- less network connections can be captured “from the air” by intruders. Malware attacks are also an increasing threat against Symbian devices. The first Symbian worm, Cabir, was detected in 2004. Today, there are already several known Symbian viruses and malware threatening smart phone users.

Security solutions for Symbian devices are currently under ongoing development. The Sym- bian OS provide embedded security features i.e. underlying support for secure communications protocols, such as TLS/SSL, and authentication of installable software using digital certificates. Security solutions are also developed by several third party companies. Such solutions include anti-virus software, personal firewalls, memory card encryption, and access control systems.