ITS 4050 - Internet and Web Security
Chapter 12, Securing Mobile Communications
This lesson presents some material from chapter 12. Objectives important
to this lesson:
- Endpoint devices
- Wireless networks
- Communications commonly used by endpoint devices
- Risks, threats, and vulnerabilities
- OWASP mobile risks
- Best practices
An endpoint device is any device that is at the end of a network branch.
It is typically a device that serves the purposes of a user, not those
of a system administrator. Endpoint devices can be any devices that attach
to a network and can read data from that network. As the text reminds
us, this category includes smart devices, cell phones, and tablets as
well as laptops, printers, and more conventional computers. This chapter
deals with mobile endpoint devices, and begins with a few remarks about
I was reminded by an ad this week that the first cell phone call was
made on April 3, 1973, currently 46 years ago. The text mentions some
history about early cell phones. It may be useful to consider the diagrams
at the bottom of pages 300 and 301. The first shows a schematic of a 3G
network: a cell phone had the capacity to transfer voice signals or data
signals over separate channels, but the data service varied greatly by
carrier, plan, and location. The 4G system simplified the situation by
pushing voice and data over the same IP connection to a cell tower, passing
that data over a data network, and then forking to either an Internet
based path to a data device or a PSTN (Public Switched Telephone Network)
path to a telephone.
Page 303 presents a table of security concerns about 3G and 4G service.
Confusingly, we are told that 3G does not encrypt packets on the data
channel, but that IPSec is supported on it. I suppose the author means
that the technology supports it, but the carrier does not have to implement
it. The same table tells us that security is better on 4G networks, but
we should still be wary of trusting security whose implementation we know
In case you are wondering, here is a link to an article
on CNET, published 4/5/2019 (today!) about a test of 5G service
that has just been implemented in Chicago. The bottom line is that the
reporter thinks the service isn't ready for prime time yet. If that doesn't
mean anything to the younger readers, it means that it is a new technology,
suffering from bugs, not performing up to the advertising hype that was
generated for it. This is how technology often is when there are new developments.
It may be much better once the real world problems are diagnosed and addressed.
The next section of the chapter discusses several services that may be
expected to operate on endpoint devices. The devices in question seem
to be smart devices.
- Voice service - Cell phones are expected to offer voice service,
but non-phone devices may offer voice services through Skype or Facebook.
The text seems mostly relieved that we are no longer in the days of
unencrypted analog signals. At that time, eavesdropping was easy with
frequency scanners. The text seems confident that encrypted signals
are trustworthy in modern systems.
- Internet browsing - The phrase "Internet browsing"
covers a lot of risky activity, from shopping to bill payment and anything
else that affects your money and credit. The text is concerned about
using HTTP (clear text transmission) rather than the encrypted HTTPS.
It is also concerned about virus protection for each device you use
to access web pages for any reason. Cyberspace is often unfriendly.
You need protection for your devices.
- E-mail - The text proposes that people expect access to email,
both business and personal, on any device they have handy. Until you
are compromised by an email attack, you are unlikely to be a believer
in the basic protections that have already been mentioned. It's a computer:
- Instant messaging and text messaging - The text lists
these as two services, but most people consider them to be the same,
which may be why people are often surprised by the length of time a
text message may take to be delivered. Instant messaging often uses
a proprietary account and/or software. SMS messaging is typically compatible
from one vendor to another, so it does not matter who your carrier is,
or who your friend's carrier is. The first problem associated with messaging
is that antivirus programs typically do not protect texts. On the other
hand, an attack through a text is often from a file the text asks you
to download and open, and a good antivirus program should catch that.
The second problem is not technological. It is that people continue
to text and drive, causing car crashes. How about this? Let's decide
to do one thing at a time. Drive, text, eat, talk to your friends, whatever:
pick one, and quit messing up the other things you were about
to do badly.
- Multimedia messaging - MMS service allows the addition of graphic,
video, and audio files to messages. This is handy for sending someone
a quick photo. Note the table on page 309 that examines each of these
services in regard to four vulnerabilities. This service is vulnerable
to all four.
Regarding that table on page 309, note that all the listed services have
vulnerabilities. Voice seems the safest, web browsing seems the most dangerous.
Pages 310 through 320 discuss ten risk articles published by OWASP. Taking
a look at their
site on the Internet, I see that the list in our text appears
to match the OWASP list for 2014. The only more recent list on that page
is for 2016, so this is not recent data. For what it is worth, these risks
apply to mobile and non-mobile devices.
The chapter ends with some general suggestions for better security. Most
have been covered already in the chapter. Browse through this section.
Let's discuss any ideas that seem valuable to you.