Practical Attacks on Security and Privacy Through a Low-Cost Android Device

Authors

  • Greig Paul University of Strathclyde Department of Electronic & Electrical Engineering Glasgow, United Kingdom
  • James Irvine University of Strathclyde Department of Electronic & Electrical Engineering Glasgow, United Kingdom

DOI:

https://doi.org/10.13052/2245-1439.422

Keywords:

Security, Privacy, Android, Exploit, Physical Access

Abstract

As adoption of smartphones and tablets increases, and budget device offerings become increasingly affordable, the vision of bringing universal connectivity to the developing world is becoming more and more viable. Nonetheless, it is important to consider the diverse use-cases for smartphones and tablets today, particularly where a user may only have access to a single connected device. In many regions, banking and other important services can be accessed from mobile connected devices, expanding the reach of these services. This paper highlights the practical risks of one such low-cost computing device, highlighting the ease with which a very recent (manufactured September 2015) Android-based internet tablet, designed for the developing world, can be completely compromised by an attacker. The weaknesses identified allow an attacker to gain full root access and persistent malicious code execution capabilities. We consider the implications of these attacks, and the ease with which these attacks may be carried out, and highlight the difficulty in effectively mitigating these weaknesses as a user, even on a recently manufactured device.

 

Downloads

Download data is not yet available.

Author Biographies

Greig Paul, University of Strathclyde Department of Electronic & Electrical Engineering Glasgow, United Kingdom

G. Paul received the B.Eng. (Hons.) degree in Electronic & Electrical Engineering from the University of Strathclyde, Glasgow, UK, in 2013. He is currently pursuing the Ph.D. degree in the Mobile Communications Group at the University of Strathclyde. He is a Graduate Student Member of the IEEE, and The Institution of Engineering and Technology, and the Chair of the University of Strathclyde IEEE Student Branch. His research interests include secure data storage and retrieval, practical considerations in the design of secure systems, and the design of privacy-preserving service architectures. Greig is the recipient of an EPSRC Doctoral Training Grant.

James Irvine, University of Strathclyde Department of Electronic & Electrical Engineering Glasgow, United Kingdom

J. Irvine received the B.Eng. (Hons.) degree in Electronic and Electrical Engineering and the Ph.D. degree in coding theory from the University of Strathclyde, Glasgow, U.K., in 1989 and 1994, respectively. He is currently a Reader with the Department of Electronic and Electrical Engineering, University of Strathclyde, Glasgow, U.K., where he also leads the Mobile Communications Group. He is a coauthor of seven patents and the books Digital Mobile Communications and the TETRA System (Wiley, 1999) and Data Communications and Networks: An Engineering Approach (Wiley, 2006). His research interests include mobile communication and security, particularly resource allocation and coding theory. Dr. Irvine is an elected member of the Board of Governors of the IEEE Vehicular Technology Society, a member of the IET, a Fellow of the Higher Education Academy, and is a Chartered Engineer.

References

B. Bajarin. (December 2014) Why India will be the world’s second

biggest smartphone market. [Online]. Available: http://time.

com/3611863/india-smartphones/

Cisco. (May 2015)VNI mobile forecast highlights, 2014–2019. [Online].

Available: http://www.cisco.com/assets/sol/sp/vni/forecast highlights

mobile/index.html

S. Etzo and G. Collender, “The mobile phone revolution in Africa:

Rhetoric or realty?” African affairs, 2010.

K. E. Skouby and W. Idongesit, The African Mobile Story. River

Publishers, 2014.

D. Porteous, “The enabling environment for mobile banking in Africa,”

B. Warner. (March 2013) What Africa can teach us about the future

of banking. [Online].Available: http://www.bloomberg.com/bw/articles/

-03-06/what-africa-can-teach-us-about-the-future-of-banking

G. Paul and J. Irvine, “Take control of your PC with UEFI secure boot,”

Linux J., vol. 2015, no. 257, Sep. 2015.

Google. The android source code. [Online]. Available: http://source.

android.com/source/

Google. (October 2015) Android 6.0 compatibility definition. [Online].

Available: http://source.android.com/compatibility/index.html

S. Smalley and T. M. R2X, “The case for SE Android,” Linux Security

Summit, 2011.

(October 2015) Datawind Ubislate 27CZ. [Online]. Available: http://

www.pricedealsindia.com/mobiles/Datawind-Ubislate-27CZ-price-inindia-

dpi4016.php#gotostore

D.Wogan. (November 2013) Charging a mobile phone in rural Africa is

insanely expensive. [Online]. Available: http://blogs.scientificamerican.

com/plugged-in/charging-a-mobile-phone-in-rural-africa-is-insanely-ex

pensive/

Google. (October 2008) AOSP platform signing keys. [Online]. Available:

https://android.googlesource.com/platform/build/+/master/target/

product/security/

D. Hackborn. (May 2011) Restrict system packages to protected storage,

android code review. [Online]. Available: https://android-review.

googlesource.com/#/c/22694/

J. Forristal. (October 2014) Measuring mobile security & trust: Introducing

trustable by bluebox. [Online]. Available: https://bluebox.com/

measuring-mobile-security-trust-introducing-trustable-by-bluebox/

CVE-2015-3636. Commit used: 9868289bdb53c. [Online]. Available:

https://github.com/fi01/CVE-2015-3636

Google. (August 2015) Android security updates. [Online]. Available:

https://groups.google.com/forum/#!forum/android-security-updates

A. P. Felt, S. Egelman, and D.Wagner, “I’ve got 99 problems, but vibration

ain’t one: a survey of smartphone users’ concerns,” in Proceedings

of the second ACM workshop on Security and privacy in smartphones

and mobile devices. ACM, 2012, pp. 33–44.

I. Muslukhov, Y. Boshmaf, C. Kuo, J. Lester, and K. Beznosov, “Understanding

users’ requirements for data protection in smartphones,” in

Data Engineering Workshops (ICDEW), 2012 IEEE 28th International

Conference on. IEEE, 2012, pp. 228–235.

N. Elenkov, Android Security Internals: An In-Depth Guide to Androids

Security Architecture. San Francisco: No Starch Press, 2015.

A. Kak, “Elliptic curve cryptography and digital rights management,”

Lecture Notes on Computer and Network Security,

[Online]. Available: https://engineering.purdue.edu/kak/compsec/

NewLectures/Lecture14.pdf

Downloads

Published

2015-11-20

How to Cite

1.
Paul G, Irvine J. Practical Attacks on Security and Privacy Through a Low-Cost Android Device. JCSANDM [Internet]. 2015 Nov. 20 [cited 2024 Nov. 4];4(2-3):33-52. Available from: https://journals.riverpublishers.com/index.php/JCSANDM/article/view/5151

Issue

2015: Vol 4 Iss 2-3

Section

Articles