Design And Implementation Of Enhanced Application Lockbox For Mobile Device Security

DOI : 10.17577/IJERTV2IS60943

Download Full-Text PDF Cite this Publication

Text Only Version

Design And Implementation Of Enhanced Application Lockbox For Mobile Device Security

Prof. Prashant Jawade Assistant Professor

Thakur College of Engineering &Technology, Mumbai University, Kandivali (E)Mumbai

Mrs. SuwarnaS. Thakre Sr.Lecturer(Information Technology Dept.) Thakur College of Engineering &Technology, Mumbai University, Kandivali (E) 400101.

Abstract

The security requirements for mobile devices are inherently different from stationary machines. Mobility exposes them to different threat environments and excludes them from relying on external physical security. Productive application from enterprise, government, and military will invariably deal with sensitive data. A risk management and security framework is needed to protect applications and data on mobile devices when they are lost. We propose an application lockbox concept that compartmentalizes mobile devices at the application level. It combines policy enforcement mechanisms and support for sophisticated access polices to mitigate the exposure when the device is lost. It is a practical approach that improves the security of mobile devices without requiring significant changes in the current mobile technology. In this Sensitive applications and data will be placed inside encrypted virtual disk volumes to enforce access control[2].The encrypted application volume (EAV) will serve as the embodiment of the application lockbox. EAV encryption keys,longitude and latitude parameters and time will be placed on server . All these parameters act as the policy decision point. It will take inputs from components on the network and require a secured network channel. Riskyapplication stored in EAV and other application will be store separately.eg. Some application should only run while the device is in the office only or secured area.Sensitive application that is not actively being used should be automatically locked. If mobile is lostwe can protect the data in mobile from adversaries.No one can access that data because data is stored in secured area called as EAV.It will be able to protect locked applications and data even if the enemy has physical possession of the device.

  1. Introduction

    Smart phones and other mobile devices are becoming common. They pack a tremendous amount of capabilities into a small handheld form factor. They are as powerful as desktop workstations from a few years ago and fully capable of running sophisticated applications. Therefore enterprises,governments and the military are showing a great deal of interest in utilizing them fully as productivity platform [2]. However, concerns over security remain a significant obstacle. Productive applications will often deal with Sensitive and secret data.

    Table 1. Physical security measures[2]

    Not Sensitive

    Sensitive

    Highly Sensitive

    Low threat

    Room locked

    Guards

    Secured vault

    Medium threat

    Equipment locked

    Armed Guards

    Guard at equipment

    High threat

    Video surveillance

    Fortified building

    Equipment self destruct

    Existing mobile devices do not provide sufficient protection for these applications and their data. Currently, themain concern over security in mobile devices is the immaturity of security in some mobile operating systems. Devices such as the iPhone and Android smart phones are not designed to support enterprise and military grade security. Even if mobile operating systems are hardened to the degree of

    desktop operating systems, additional concerns would remain. It must be recognized that security requirements formobile devices are inherently different from stationary machines. Mobile devices, which include smart phones as well as laptops, are able to move around. Stationary machines at least somewhat rely on external physical security. Desktops are used inside homes and offices. Servers are locked inside data centers. Military systems that handle classified data are secured inside vaultsprotected by armed guards. The amount of physicalsecurity usually commiserates with the sensitivity of the data as well as the level of threat in the environment. Datacenter in dangerous locations have more guards. Sensitivemilitary computer systems deployed in forward bases and on vehicles are armed with self- destruct mechanisms.Thisassumption cannot be made for mobile devices Mobile devices can move around to different environments with different threat levels. They can be used in the office, on a crowded train, inside a secured base, or on the battlefield. Security mechanisms in mobile devices must compensate for the lack of physical security and deal with the risk of device loss appropriately.

  2. Different Techniques

    A number of techniques have been developed to provide data security in mobile devices MAPBox, Application Sandbox, Self Encryption ,location dependent data encryption etc.

      1. Application Sandbox :-

        Sandbox is capable of performing static and dynamic analysis. In the static part, the sandbox decompresses installation les and disassembles corresponding executables. This can be used for cheap and fast pre- checks that might already indicate malicious code fragments and characteristics. In the dynamic part, we make use of the android emulator which is normally used for testing and debugging ordinary android application Investigated Applications are installed to the emulated and isolated environment[6]. After that, applications are executed and can beused within the sandbox for performing behavioral analysis. For improving the dynamic analysis process, the possibility of automated generation of user inputs is investigated.Since these analyses requires extensive resource capabilities, our system is intended to be run as a cloud service. Software distributors, like the Android Market or the AppStore, can run this analyses on each submitted application or users, in turn, can upload suspicious applications to their convenience.

      2. Self-Encryption Scheme:–

        Physical attacks have been proved effective in breaking some welldesigned ciphers in practice [4]. Unfortunately, it is challenging to designers to theoretically investigate the

        robustness of a cipher scheme against various physical attacks. To address this problem, a prototype is going to be implemented on top of reconfigurable hardware devices (i.e.

        FPGAs). Particularly we will study the behavior of our SE prototype under local non-invasive attacks including timing analysis and differential power analysis (DPA). At the server side, They planned to implement the SE protocol on a NetFPGA beside, they have considered to implement the SE stream cipher scheme and SE protocol on another NetFPGA board inserted in a PC, which is connected to the network through wireless connection. Devices such as oscillograph will be used to monitor and record Devices such as oscillograph will be used to monitor and record the electromagnetic leakage when the SE stream cipher is being executed to encrypt/decrypt the data attacks by analyzing the variance of leaking electromagnetic wave. Actually, we expect that our SE stream is not vulnerable to DPA attacks due to the uniqueness of each key stream and a much larger keystream space.

      3. Location dependent data encryption

        There are two phases: register and operation phases. Firstly, a mobile client requests a random seed and a MAC function C rom the information server in the register phase. The information server records the issued random seed and the function C for each individual client. They are very important for ensuring data security in the operation phase. So, they must be transmitted under a secure channel, such as Intranet or VPN (virtual private network). The random seed is the initial value of one-way hash function, such as MD5. A series of session keys is generated according to the random seed. When the mobile client is moving under an insecure channel in the operation phase, the mobile client submits a target coordinate before message transmission. The information server sends the message encrypted by using the coordinate and a specific session key[3]. The session key is changed for every session. Since the information server and the mobile client own the same set of session keys, a key synchronization process is also designed for information server to identify the correct session key. When a secure channel is available for a mobile client, the client can request a new random seed and MAC

        function C. The proposed approach can provide a novel location-dependent data encryption for mobile information system.

      4. Mapbox:-

    MAPbox(Multipurpose application profile) retains the ease of use of application-class-specific sandboxes while providing signicantly more exibility. The key idea is to group application behaviors into classes based on the expected functionality and the resources required to achieve that functionality. Examples of behavior classes includes filters,compilers,editors etc. Classification of the behavior of an application provides a label.which can be used by its provider to conciselydescribe its expected functionality to its users. Thisis similar to MIME-types which are widely usedto concisely describe the expected format offiles.We refer to the label assigned to an application asits Multi- purpose Application Profile-type (or MAP- type). At end-user species the set of application behaviors willing to allow as a set of MAP-types listed in a

    .mapcap file with each map type .associates a suitable sandbox when untrusted application is to be run, this file is consulted.if the map type associated with the application is not present in the

    .mapcapfile,thepplication is not allowed to run. MAP type that would allow the application to access resources that it would not be allowed to if correctly labeled. Xbox has been designed to be used in conjunction of a system-call-level sandbox such as MAPbox and Janus and is to be interposed between an untrusted application and the X server. Before starting an untrusted X application, MAPbox sets the DISPLAY environment variable to a socket that Xbox listens on (unix:4 by default). It then makes sure that the conned application does not bypass Xbox by denying direct connections to the X server[5]. Xbox snoops on all protocol messages and keeps track of the resources (windows, cursors, fonts, graphic contexts and color maps) created by the conned application. Xbox can be easily extended tohandle extensions to the X protocol. The current implementation handles the SHAPE, MIT-SCREEN-SAVER, DOUBLE-BUFFER,

    Multi-Buffering, and XTEST extensions. The confined application is allowed to access/manipulate only the resources that it has created and is allowed to read limited information from the root window (the operations it allows on the root window are both necessary and safe). All other requests regarding specific resources are denied (e.g., CreateWindow, ChangeWindowAttributes, GetWindowAttributes, InstallColorMap, ReparentWindow, ChangeGC, ClearArea, etc).

  3. Problem Statement

    Different techniques (GEO locking[1], self encryption etc.) were implemented toprotect the mobile devices from adversaries. Still Security remains a significant obstacle in mobile devices. Now days mobile devices are common in many applications like Military, government and enterprises invariably deal with sensitive data Existing mobile devices does not provide sufficient protection for these applications and their data. So we propose enhanced application lockbox for mobile device security. To overcome above problems we propose an application lockbox concept that compartmentalizes mobile devices at the application level. It combines policy enforcement mechanisms and support for sophisticated access polices to mitigate the exposure when the device is lost. It is a practical approach that improves the security of mobile devices without requiring significant changes in the current mobile technology.There is an application sandbox in existing system to protect the system from the malicious application by providing the strong separation between the running process. Application sandboxes can exert full control over applications running inside and restrain their maliciousactions. Sensitive applications and data inside the lockbox will be protected from attacks originating from the outside system will have full control over the application lockbox. Our goal is to provide the ability to lockout sensitive applications and data. If thelockbox is locked, applications and data inside it should be protected from the operating system and physical attacks. The application lockbox will serve as the compartmentalization enforcement mechanism for the risk management and security framework. Lockboxes for sensitive applications should be automatically locked when the mobile device is deemed to be in high-risk situations. The goal is for sensitive application and data to be already locked when the enemy or a thief captures the device. Applications should be able to run inside application lockboxes without modification. It is unrealistic to expect organizations to adopt a brand new software framework.

  4. Proposed Method

    In previous paper they have mentioned various techniques such as GEO locking, self encryption, MAP box, MDMS etc. to protect the sensitive data in mobile from adversaries Still there are some problems in security of mobile devices. They have used cryptographic techniques to secure the data. In above techniques data encryption done on mobile device,

    keys are also stored on mobile devices. In some cases encrypted data sent to client by server and client will onlydecrypt the data. In case mobile is lost thereare chances of data hacking. By using above concept we propose application lockbox concepts for data security in mobile device . In Application lockbox secure data stored in separate memory space.In this encryption and decryption keys stored on server, the user is authenticated by considering three parameters such as password, location parameter and time. To develop a risk management and security framework that compartmentalizes sensitive applications and data. Supports fine-grained access policies. The physical security of mobile devices can change access control should be managed according to the threat level.Location based application locked (Applications deemed too risky for the current physical environment should be locked )Eg. Some application should only run while the device is in the office or secured area.office data we can access only in the office not outside the office. Sensitive application that is not actively being used should be automatically locked.Application lockbox concepts are used.Keys

    ,location parameter & time will stored on server side only.Sensitive application and data to be already locked.when the enemy or a thief captures the device. Applications should be able to run insideapplication lockbox without modification. It useful in military, enterprise and government.

    Mobile Device

    EAV

    EAV

    EAV

    EAV

    e

    e

    Eee

    Eee

    Application Applicatio

    enforce access control[2].The encrypted application volume (EAV) will serve as the embodiment of the application lockbox. The EAV encryption keys will be placed on server . The key store will also act as the policy decision point. It will take inputs from components on the netwrk and require a secured network channel. Application should be able to run on the EAV without modification. In EAV we can stored secured application(risky) and other application will store separately .Application installed in EAV need three parameters to match such as time, location parameter and key.Once match found it allow to install the application in EAV.While opening application again same parameters should match then only we can edit the application stored in EAV.Eg. Some application should only run while the device is in the office only or secured areaSensitive application that is not actively being used should be automatically locked. If mobile is lost we can protect the data in mobile from adversaries no one can access that data because data is stored in secured area called as EAV.

  5. High Level of Information Security for existing Mobile Devices

    If the corporation or other organization has an internal safety policy that regulates information security. Table 4 shows how to use certain security techniques as a leverage to mitigate the risk of threats to mobile devices.

    Table 2: Security techniques used to mitigate information security risks.[7]

    Extern al compo

    Data Data Dat Dat

    Operating System

    Operating System

    Mobile device access

    Power-on authentication Require a power-on password or PIN, so the device cannot even be powered by an unauthorized user. Implement a standard process for creating unique user names and PINs.

    Auto-lock Configure device to automatically lock up after a certain period of time

    Two-factor authentication Implement two- factor authentication for access to systems that contain PHI.Consider the use of tokens, call- back, and biometrics

    Data storage

    Data encryption Establish data encryption for mobile devices. Identify the types of hardware and electronic media that must be tracked (hard drives, digital memory cards) and develop

    Mobile device access

    Power-on authentication Require a power-on password or PIN, so the device cannot even be powered by an unauthorized user. Implement a standard process for creating unique user names and PINs.

    Auto-lock Configure device to automatically lock up after a certain period of time

    Two-factor authentication Implement two- factor authentication for access to systems that contain PHI.Consider the use of tokens, call- back, and biometrics

    Data storage

    Data encryption Establish data encryption for mobile devices. Identify the types of hardware and electronic media that must be tracked (hard drives, digital memory cards) and develop

    Figure 1. Architecture of an Enhanced application lockbox

    To use this Application Mobile should have android operating system. Sensitive applications and data will be placed inside encrypted virtual disk volumes to

    inventory control systems.

    Auto-run applications Prevent memory cards from automatically running specific programs.

    Data transmis sion

    Encryption Implement and andate appropriately strong encryption solutions for transmission of PHI. For example access can be implemented over SSL, IPSecora similar VPN technology.

    Signed applications Allow only signed applications to be loaded onto the devices (S/MIME, token-based).

    Data access

    Role-based Employ role-based access as part of a user-provisioning solution. Different users may required different levels of access based on job function.Develop and employ proper clearance procedures and verify training of workforce members prior to granting access.

    Logging and auditing Implement logging and auditing on device and parent network. Ensure that the issue of unauthorized access of PHI is appropriately addressed in the required sanction policy.

    inventory control systems.

    Auto-run applications Prevent memory cards from automatically running specific programs.

    Data transmis sion

    Encryption Implement and andate appropriately strong encryption solutions for transmission of PHI. For example access can be implemented over SSL, IPSecora similar VPN technology.

    Signed applications Allow only signed applications to be loaded onto the devices (S/MIME, token-based).

    Data access

    Role-based Employ role-based access as part of a user-provisioning solution. Different users may required different levels of access based on job function.Develop and employ proper clearance procedures and verify training of workforce members prior to granting access.

    Logging and auditing Implement logging and auditing on device and parent network. Ensure that the issue of unauthorized access of PHI is appropriately addressed in the required sanction policy.

  6. System Overview

    By considering above problem in this paper we implement application lockbox concept to secure our data .In previous paper they have mention security like authentication, malware detection, remote wipe

    ,network security etc.Eencryption and Decryption keys stored on mobile only so any one will find keys very easily.we thought why not to provide physical security to mobile device like pc.e.g. suppose confidential data is there in user mobile and he/she entered in some risky zone in that case

    • our application will automatically lock the data by using longitude and latitude parameter(if no match found)

    • we will assign time suppose user office timing is 9.30am to 5.00 pm he /she work on that data during above timing if we are at home we cannot open that application.

    • main advantage of this application is encryption and decryption keys stored on sever so it very difficult to get the key when mobile is lost.

      Step1:First switch on mobile device( should have android o.s.) and click on lockbox(created application name)

      Step 2:Once open application enter password (it is unique key)

      Step3:Once password match will get another screen in that we can encrypt and decrypt file

      Step 4:Once we click on encrypt data will get following screen

      Step5:Once we click on important data will get screen here we have three fields ,enter corresponding data intofieldsand then click on encrypt. (Data is veryconfidential so entersomething which is very sensitive like acc no, atmpin,pan card no and other small stuffs) This will encrypt data and show the result

      .Encrypt button do many task will save our key and file on server it will also create folder lockbox into SDCardSDcard will have those files we have created here.

  7. Conclusion

    A risk management and security framework is needed to protect applications and data on mobile devices when they are lost. Our approach is to develop a risk management and security framework that compartmentalizes sensitive applications and data, and supports fine-grained access policies. Since the physical security of mobile devices can change, access control should be managed according to the threat level. Applications deemed too risky for the current physical environment should be locked. Application lockbox provides another layer of protection for sensitive applications and data in mobile devices. It can provide meaningful protection without significant changes in current technology and is intended to work with existing applications without modification. It will b able to protect locked applications and data even if the enemy has physical possession of the device. It will allow for fine-grained risk-adaptive access control policies since applications can be selectively locked without disabling the entire device. The application lockbox will encapsulate individual applications and all their associated data to allow for access control on the application level. The application lockboxes need to provide robust protection when they are locked. Therefore, a robust policy framework is needed for risk management and mitigation that takes into account the risk in the environment as well as the least privilege principle. Effectiveness of the security framework will be driven by the risk-adaptive access controlpolicy. Lockboxes for sensitive applications should be automatically locked when the mobile device is deemed to bein high-risk situations. The goal is for sensitive application and data to be already locked when the enemy or a thief captures the device. if mobile is lost no one can open our confidential data .

  8. Acknowledgement

    I must thank, first and foremost, my guide Mr. PrashantJawade, Assistant Professor from Department of Information Technology who gave me opportunity to write this paper without his guidance and patience, this dissertation would not be possible. Finally, I thank him to review my paper and his valuable suggestion that make to improve quality of my paper.

  9. References

  1. M Prabu Kumar1 and K Praneesh Kumar Yadav, Data Security in Mobile Devices by GEO Locking, International Journal of Network Security & Its Applications (IJNSA), Vol.1, No.3, October 2009.

  2. Jim Luo ,Myong Kang ,Application lockbox for mobile device security,Naval Research Laboratory 2011 Eighth International Conference on Information Technology: New Generations.

  3. Hsien-Chou Liao, Po-Ching Lee, Yun-Hsiang Chao, and Chin-Ling Chen,A Location-Dependent Data Encryption Approach for Enhancing Mobile Information System Security ISBN 978-89-5519-131-8 93560.

  4. Yu Chen Self-Encryption Scheme for Data Security in Mobile Devices Manuscript submitted on Oct. 2, 2008 to CCNC09, Las Vegas, NV, USA, Jan. 10 13, 2009., E- mail: ychen@binghamton.edu, Tel.: (607) 777-6133

  5. Acharya, and M. Raje,MAPbox: Using Parameterized Behavior Classes to Con[12]A. "MAPbox: using parameterized behavior classes to confine untrusted applications."

  6. Thomas Bl¨asing, Leonid Batyuk, Aubrey-Derrick Schmidt,SeyitAhmetCamtepe,andSahinAlbayrakTechnische Universit¨at Berlin – DAI-Labor An Android Application Sandbox System for Suspicious Software Detection,2010 5th International Conference on Malicious and Unwanted Software.

  7. BlaMarkelj, Igor Bernik,Mobile Devices and Corporate Data Security International journal of education and information technologies,Issue 1, Volume 6, 2012

Leave a Reply