ITS 4050 - Internet and Web Security

Chapter 12, Securing Mobile Communications

This lesson presents some material from chapter 12. Objectives important to this lesson:

1. Endpoint devices
2. Wireless networks
3. Communications commonly used by endpoint devices
4. Risks, threats, and vulnerabilities
5. OWASP mobile risks
6. Best practices
   

Concepts:

Chapter 12

An endpoint device is any device that is at the end of a network branch. It is typically a device that serves the purposes of a user, not those of a system administrator. Endpoint devices can be any devices that attach to a network and can read data from that network. As the text reminds us, this category includes smart devices, cell phones, and tablets as well as laptops, printers, and more conventional computers. This chapter deals with mobile endpoint devices, and begins with a few remarks about cell phones.

I was reminded by an ad this week that the first cell phone call was made on April 3, 1973, currently 46 years ago. The text mentions some history about early cell phones. It may be useful to consider the diagrams at the bottom of pages 300 and 301. The first shows a schematic of a 3G network: a cell phone had the capacity to transfer voice signals or data signals over separate channels, but the data service varied greatly by carrier, plan, and location. The 4G system simplified the situation by pushing voice and data over the same IP connection to a cell tower, passing that data over a data network, and then forking to either an Internet based path to a data device or a PSTN (Public Switched Telephone Network) path to a telephone.

Page 303 presents a table of security concerns about 3G and 4G service. Confusingly, we are told that 3G does not encrypt packets on the data channel, but that IPSec is supported on it. I suppose the author means that the technology supports it, but the carrier does not have to implement it. The same table tells us that security is better on 4G networks, but we should still be wary of trusting security whose implementation we know nothing about.

In case you are wondering, here is a link to an article on CNET, published 4/5/2019 (today!) about a test of 5G service that has just been implemented in Chicago. The bottom line is that the reporter thinks the service isn't ready for prime time yet. If that doesn't mean anything to the younger readers, it means that it is a new technology, suffering from bugs, not performing up to the advertising hype that was generated for it. This is how technology often is when there are new developments. It may be much better once the real world problems are diagnosed and addressed.

The next section of the chapter discusses several services that may be expected to operate on endpoint devices. The devices in question seem to be smart devices.

• Voice service - Cell phones are expected to offer voice service, but non-phone devices may offer voice services through Skype or Facebook. The text seems mostly relieved that we are no longer in the days of unencrypted analog signals. At that time, eavesdropping was easy with frequency scanners. The text seems confident that encrypted signals are trustworthy in modern systems.
• Internet browsing - The phrase "Internet browsing" covers a lot of risky activity, from shopping to bill payment and anything else that affects your money and credit. The text is concerned about using HTTP (clear text transmission) rather than the encrypted HTTPS. It is also concerned about virus protection for each device you use to access web pages for any reason. Cyberspace is often unfriendly. You need protection for your devices.
• E-mail - The text proposes that people expect access to email, both business and personal, on any device they have handy. Until you are compromised by an email attack, you are unlikely to be a believer in the basic protections that have already been mentioned. It's a computer: protect it.
• Instant messaging and text messaging - The text lists these as two services, but most people consider them to be the same, which may be why people are often surprised by the length of time a text message may take to be delivered. Instant messaging often uses a proprietary account and/or software. SMS messaging is typically compatible from one vendor to another, so it does not matter who your carrier is, or who your friend's carrier is. The first problem associated with messaging is that antivirus programs typically do not protect texts. On the other hand, an attack through a text is often from a file the text asks you to download and open, and a good antivirus program should catch that. The second problem is not technological. It is that people continue to text and drive, causing car crashes. How about this? Let's decide to do one thing at a time. Drive, text, eat, talk to your friends, whatever: pick one, and quit messing up the other things you were about to do badly.
• Multimedia messaging - MMS service allows the addition of graphic, video, and audio files to messages. This is handy for sending someone a quick photo. Note the table on page 309 that examines each of these services in regard to four vulnerabilities. This service is vulnerable to all four.

Regarding that table on page 309, note that all the listed services have vulnerabilities. Voice seems the safest, web browsing seems the most dangerous.

Pages 310 through 320 discuss ten risk articles published by OWASP. Taking a look at their site on the Internet, I see that the list in our text appears to match the OWASP list for 2014. The only more recent list on that page is for 2016, so this is not recent data. For what it is worth, these risks apply to mobile and non-mobile devices.

The chapter ends with some general suggestions for better security. Most have been covered already in the chapter. Browse through this section. Let's discuss any ideas that seem valuable to you.