Mobile Hacking Exposed Foreword

Since the mid-1990s, mobile devices have gone through a dramatic shift from monolithic, single-purpose computers to general-purpose computing environments. The first-generation digital mobile phones were embedded systems with little room for third-party software. With the advent of J2ME in 1999 and BREW in 2001, the baseband processors on mobile phones started doing double duty as application processors for third-party software. For the first time, consumers could choose the applications to run on their phones.

The evolution of mobile devices from embedded systems to what we think of as modern computing platforms followed a well-worn path, described by Daniel P. Siewiorek, C. Gordon Bell, and Allen Newell in Computer Structures: Principles and Examples, along the same progression that mainframe computers, minicomputers, and desktop computers had followed. Mobile devices evolved from single-function firmware to installable software and robust application environments, from single-threaded systems with slow processors, limited memory, and limited operating system capabilities to multitasking systems with high-speed processors, extensive memory, specialized coprocessors, and operating system capabilities comparable to desktop computers.

Mobile devices today have computing power and network throughput at a similar scale to desktop computers, and audio and video capabilities to match. Arguably, the ever-present 3G and 4G mobile networks give mobile phones even more pervasive access to online resources than desktop computers. Mobile devices, however, have some capabilities and limitations that set them apart from other computing environments.

User interaction on mobile devices is constrained. Once crude input and displays limited user interaction, now the physical size of the device is the main limitation, restricting the amount of information mobile devices can display and the options for user input. When you factor in the capabilities of human eyesight and typical viewing distances, a laptop computer could display ten times the information of a mobile phone. Touchscreens increase the target size of on-screen controls to compensate for the natural size of fingertips, which further limits the scope of operations available to users of mobile devices.

The size of mobile devices gives them a distinct advantage in portability, making it possible for users to carry these devices with them at all times. A quick shift from idle to active modes allows immediate access to computing resources. Users often interact with mobile devices for only a few seconds or a few minutes. The immediacy and pervasiveness of mobile devices allows us to use them in a distinctly personal context. We rely on them for our most intimate communications, and we use them for our most personal information.

Mobile devices have hardware capabilities that are uncommon in other computing environments. Touch screens are common and are often augmented with motion sensors. Positioning systems, whether GPS or network based, are mandated by regulation. Environmental sensors such as temperature, light, and proximity are also common. All these features provide mobile devices with additional data that is potentially personal and private.

In a desktop computing environment, end users (or their IT departments) typically have insight into and even responsibility for the workings of the computer operating system. On a desktop computer, users can read the log files and change software configurations. The mobile environment generally obscures the operating system from ordinary users, so that users typically cannot monitor its activities. Third-party software in mobile devices often runs within a sandboxed environment, with controlled access to operating system functions and restrictions on interacting with other applications. Unlike desktop computing environments, a central application distributor often curates and controls third-party software on mobile devices, to a greater or lesser extent.

The challenge for mobile application developers is to provide a relevant mobile experience, rich in personal information. Mobile applications need to take advantage of the computing and connectivity capabilities of the platform because users have come to expect instant responsiveness and a constant flow of information from services on the network. At the same time, application developers need to hide the complexities of their applications from users, by simplifying configuration and silently handling error conditions. Mobile devices are generally consumer-oriented platforms, which makes it difficult for enterprise developers to deliver services that meet their requirements while meeting their internal compliance obligations. Developers ultimately have the responsibility of delivering a service and a brand that end users can trust.

All these things present new challenges to security in the mobile environment that go beyond the familiar challenges of other computing environments. Mobile applications rely on frequent communication between client and server, and depend heavily on servers to store and process data, which means that personal information is present both on the device and in the cloud. Mobile device hardware provides sensitive personal information, such as location, which must be appropriately protected. There are limited opportunities to mitigate security flaws because the operating system is generally protected and not extensible, and the cycles for bug fixes are longer.

The interface constraints of mobile devices make complex security interactions with users impractical. There are limited cues to inform users if something is wrong, and it is difficult for users to investigate or resolve issues on their own. On a mobile device, even common interactions like logging in with a username and password are tedious. Mobile application developers must make security decisions on behalf of the users, both to improve usability and because users would not have the capability to reconfigure mobile applications. In this restricted environment, users have to rely on an assumption of trust in the application developer. Breaching this trust can significantly damage the developer’s brand.

Mobile phones have established their place in the realm of computing, as platforms for rich applications, extending our computing resources from desktop and cloud, and as a new environment for standalone applications. The features that make mobile phones interesting and useful are also the features that make them challenging to develop products for and make them challenging to secure. This book directly addresses these challenges, with detailed guidelines for mobile application developers, with an approach that starts with threat modeling and delves deeper into secure coding and software maintenance practices specific to mobile applications. This book provides specific details on mobile networks and the iOS and Android platforms to assist developers in securing their applications. It also covers server-side security and topics relevant to enterprise users of mobile devices and applications, as well as the specialized and developing area of mobile payments. Hacking Exposed: Mobile Security Secrets & Solutions is a valuable resource for anyone developing, publishing, managing, or using mobile applications, and an insightful guide for industry observers.

—Kai Johnson
Chief Architect
Isis Mobile Commerce