threat model original

User Generated

oyhroreel89

Computer Science

Description

The paper is written already but it has revisions that need to be addressed. Thanks in advance for the assistance.

Unformatted Attachment Preview

Running Head: THREAT MODELLING 1 UNIVERSITY OF MARYLAND UNIVERSITY COLLEGE PROJECT 3: Threat Model Arlecia Johnson CST620 for Professor Alenka Brown October 20, 2017 STEP 1: You need to address the following in your paper. 1. How a particular mobile application of your choosing conforms to mobile architectures 2. asked to describe device-specific features used by the application, wireless transmission protocols, data transmission mediums, interaction with hardware components, and other applications. 3. identify the needs and requirements for application security, computing security, and device management and security. 4. describe the operational environment and use cases, and identify the operating system security and enclave/computing environment security concerns, if there are any. This can be fictional or modeled after a real-world application. 5. Be sure to use APA citation format. This will be part of your final report. THREAT MODELLING 2 I. Introduction Mobile Applications on smartphones have become a strong model of state-of-the-art communication (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). There is need for all organizations that deal directly with clients and have some allowance for e-commerce or emarketing to allow for use of smartphone applications (Chen, Qian, Mao, Tang, & Yang, 2016). My company allows its employs the use of IOS, Windows MTobile, Android OS, Serbian, and Blackberry Android interphases on the company’s architectural mobile application. Though there is need for different data handling for each operating system, there has been a good integration, because the main purpose of the application is to sell, order, and view products and advice (Chen, Qian, Mao, Tang, & Yang, 2016). This report looks into the mobile application development and specifically the [what mobile application?]. In additon, the report provides insight to best practices that should be employed by the company based on the independent research. I. Mobile Application Architecture The mobile App selected for our company has the IOS, android and blackberry interphases, that allows for Windows Mobile and Serbian access. The Blackberry is the most secure, but finds little usage. The IOS is relatively secure considering the sophisticated technology used in IOS files encryptions. Android Mobile Apps, on the other hand, use routers to distribute radio waves to multiple users, which utilizes what is called Orthogonal Frequency division multiplexing. The importance to leadership is that users of the data are able to access the THREAT MODELLING database from one point; however, that data is less secure than the previous versions such as the time division multiplexing that divided the signals into time slots and was very slow. It was used with 2G Internet, while the OFDMA is able to breakdown the signal into bandwidths and utilize 4G internet. The OFDMA has increased the mobile App’s through the reduction of guard bands, which is enabled by the orthogonal feature of the application. Meaning what? This application is enabled by the Long Term Evolution technology and is currently the most efficient but less secure than TDM multiplexing (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). The common model of data transmission is radio transmission, which the company uses via Cisco to reach clients countrywide. With the introduction of mobile apps, typical radio transmission is replaced with wireless mobile communications. It can operate across the national boarders but the company has not embraced the overseas markets. With the introduction of mobile applications, there is an increase in vulnerability to the companies overall network, because it is available for downloads and use regardless of the location (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). The wider the scope of the company’s use of mobile apps, the higher the level of vulnerability to the companies overall architectural network, exposing the company’s business and client’s personal data.. The hybrid application used allow for both web and mobile application transmission, making it vulnerable to both web based attacks and mobile app attacks. One feature that makes it less vulnerable is there are minimal user-user interactions, and mostly user to database interactions (Chen, Qian, Mao, Tang, & Yang, 2016). 3 THREAT MODELLING 4 II. Requirements The business function of the application is to allow users access to the company to carry out transactions. It contains banking details and allows the users give specifications of their products (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). The application should continue to use existing algorithm that enables the employees to match the right product to the customers’ requirements, while providing recommendation to further market other products that the company produces. The company shall use Pinterest APIs from which the company has most of its products being marketed. . In addition, during registration, the company should permit clients to select Facebook details from their devices. This is shall be provided in an API that allows the App to read the personal profile, taking email, full names and other details from Facebook. This is, however, available to willing users. However, the mobile architecture will need to be properly secured as this user mobile benefit will increase the threat if Pinterest or Facebook, is insecure, There is a chance that the App user will be vindicated, as this benefit is a major source of spoofing attacks (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). The company should continue to use Secure Sockets Layer virtual private network Virtual private network (SSL VPN), which allows users at home to log into the network through their smartphones as well as the web services. However, the SSL VPN is vulnerable because it can allow for common system file-stem code to be used by a non-client to access the network. Cisco ISA 3000 Industrial Security Appliance used in the company is an SSL VPN system component that is present in the company’s system that is vulnerable to this type of attack. The company handles this vulnerability, by its superior encryption models for data and network THREAT MODELLING access. The company provides a One Time Pin strategy, which is sent to the customer’s phone for authentication of the correct login user details. This requirement should be maintained as is. (Chen, Qian, Mao, Tang, & Yang, 2016). Guest users and non-administrative users should only have access to is their profile and banking details as needed for their use or work. These protocols may only be changed aby the network administrator. The applications may provide the client with a history of their transactions, and other purchase details. This is not seen to be critical to the network. However if client or company data compromised by a hacker or insider actors , which is able to calculate the banking balances, and show some personal banking details, for instance, the Visa Card numbers and full details that can induce a transaction (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). There are issues with IP addresses that need to be addressed. First, there are users of mobile Apps who log into the system on the web as well. This shows multiple use of a single account, identified by the IDS/IPS protocols as an alarm. The system immediately breaks down the communication to the two devices, and the user is requested to log out from one device as from the policies agreed upon in the process of singing up for the mobile App and web services (Chen, Qian, Mao, Tang, & Yang, 2016). Jail breaking is done to give devices the freedom to the download and use Apps from other sources. Apple for instance, has higher restrictions and does not allow the use of applications from other sources but apple store. Jail breaking allows the use of other applications. The main risk is Trojans and malware penetration due to less security. Hackers can follow the new applications and be able to gain access to data from the mobile device. This reduces the use of 5 THREAT MODELLING 6 the mobile device because it cannot be useful in receiving the company’s mobile App, but the users can use their web browsers (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). NEED A LEAD IN STATEMENT TO THE NEXT PARAGRAPH III. Threats and Threat Agents The first threat is the mobile storage of applications, for instance, in memory cards or phone memory, through which the user browses. This makes mobile memory vulnerable to malware, for instance, spear phishing or email spoofing attack. The second threat is adversaries that begin reading content through putty/WinSCP through SSH. This is a threat since WHAT? Another threat is sniffing through a Wi-Fi network. This threat does WHAT? All the aforementioned threats are due to beneficiary’s details. Others include authorizing a malicious application to read phone memory. Another threat is due to the higher chances of devices loss than it is for PCs, meaning that mobile Apps enhance threats agents (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). Another threat that is least likely to be suspected is the organization’s internal employees who have access to client’s personal data, and malicious intentions – the insider threat. These employees are tempted to violate privacy and intellectual property rights of the client. In addition, the company’s network exploits are also a threat to mobile Apps. We know web applications can be attacked through backdoor hosting, and mobile Apps are no exception. Hackers are able to access the data and exploit mobile applications for similar malicious purposes as in other business units of the company’s network (He, Chan, & Guizani, 2015). THREAT MODELLING 7 IV. Methods of Attacks Android devices are the most attacked devices. However, the company’s Information Technology division has set specific protocols that involves protection through isolation, encryption and signatures. Attackers mainly use spear phishing (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). We find in our forensic investigation the users/employees signature can be manipulated by the attacker to access the company’s mobile devices through the use of Trojans. This malware allows the attacker to use existing apps such as email and Google Store to request the user to download more applications that allow for malicious activities. This type of attack can permit the attacker access to existing applications such as the company’s application, whereby, personal information and data of the company’s users, employees, and business transactions can be collected and used by the hacker (He, Chan, & Guizani, 2015). Our independent research shows these same attacks are effective on other mobile devices, e.g., windows mobile, but blackberry android and Apple. The phones do not allow for use of infected applications, and most applications in their stores are kept infection free. However, these two operating systems are mainly subjected to jail breaking. V. Analysis of Threats In the previous section, we investigated that spear phishing is possible with our mobile applications. Our analysis shows this is done through several steps. First, the attacker needs access to the target client. To get this information, the easiest way is to use email or social THREAT MODELLING media. Links that are listed in social media for mobile phones that browse the internet from their memory card or internal memory is clicked. The Trojan is able to embed itself into the memory (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). The Trojan spreads and targets email and sends data back to the attacker. The attacker then sends a file to the client’s email, mainly a disgusting gif file, which, while clicked or exited embeds an application malware to the smartphone. This malware fakes signature and attacks all applications, taking information from the Apps - known as social engineering (He, Chan, & Guizani, 2015). The second method of analysis is network exploits. In network exploits, the hacker accesses to see any loopholes in the our mobile App source code. The loop identified is used to penetrate and conduct backdoor hosting activities. The hacker ensures that they have used the administrative powers of backdoor hosting to shut down any firewalls that will discourage their activities. They are then able to collect any save passwords and usernames to important Apps, including apps that have delicate banking and health information of the mobile user (He, Chan, & Guizani, 2015). Our analysis shows both methods of attack use specific malware to compromise mobile phones. However, we find there is also DDoS and DoS attacks, which mainly use malware. The attacker uses malware after getting backdoor hosting privileges. In most cases the mobile device is frozen as the cyber attacker is carrying their activities. The attackers ensure that the malware does not let the phone switch off buying the hacker time to access all the data on the mobile device’s internal memory card of enterprise data, as well as personal data, which can allow a malicious person access one’s account and retrieve data (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). How 8 THREAT MODELLING 9 VI. Controls The first step to mobile App safety is keeping personal data such as passwords, usernames safe. The data should not be stored for very sensitive applications. Most applications ask the user to store passwords, but it is optional, and not recommended to due possible accessibility by hackers. (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). The user should be ready to enter logins every time they are login into the services. One way an attack can be triggered, as seen is through access of data stored in memory cards, and this data is not stored in the App, but in the memory cards or internal memories adjacent to the application. Best practice, therefore, is not remembering the login details (Chell, Erasmus, Colley, & Whitehouse, 2015). The second way of securing apps from the aforementioned threats is avoiding installation of unwanted applications. Most tempting applications that are not from trusted sources are used by malicious actors to get access of mobile devices. Avoiding applications that are from untrusted sources is a remedy that can prevent malware attacks and backdoor hosting. It protects the other applications and data stored to some extent. The IDS/IPS system should remain as it is: It should never allow users to log in from two devices at a go, because this can be a man-in-the middle attack in a deceptive model (Chell, Erasmus, Colley, & Whitehouse, 2015). For smartphone operating systems such as Apple and Blackberry Android, it is important to stick to the services provided. The process of Jail breaking opens up the mobile device to threats that are curbed by the device if it is jailed to its original operating system (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). It is important to avoid jail breaking because it affects firewalls and malware protection offered by the device. Apple devices using IOS are protected from installations from unknown sources. Android devices, on the other hand, can allow for THREAT MODELLING 10 downloads from unknown sources, but in most cases prompts the user. Android devices should have their settings left to the default that disallows downloads from untrusted sources other than the Google Market (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). VII. Conclusion There are threats that are very common for web based and mobile apps. Some are specific to web based apps, and others are specific to smartphone apps. In most cases, the threats depend on the operating system. Some devices, such as Android and Windows are more vulnerable than Apple and Blackberry Android (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). (new thought new paragraph) Spear Phishing is common with mobile attacks, but other models of attacks such as Man-in-the-Middle attacks are common as well. These attacks aim at collecting data and essential passwords. The company should develop policies that require the users to be cautious with their information. They should also disallow the use of jail broken devices. Users of web services should be advised not to store passwords in their phones’ memories, if they still browse from the same memory slots. The IDS/IPS system should remain as it is: The IDS/IPS should never allow users to log in from two devices at a go, because this can be a man-in-the-middle attack in a deceptive model (Chell, Erasmus, Colley, & Whitehouse, 2015). THREAT MODELLING 11 There is no reference to these screen shots in the report above so they are not needed. If you wish to turn them in separately, each screen must have a title, for example, Screen Shot1: [title] and a one to two sentence description of the screen shot is about. THREAT MODELLING 12 THREAT MODELLING 13 THREAT MODELLING 14 THREAT MODELLING 15 THREAT MODELLING 16 THREAT MODELLING 17 THREAT MODELLING 18 THREAT MODELLING 19 THREAT MODELLING 20 THREAT MODELLING 21 THREAT MODELLING 22 References Chen, M., Qian, Y., Mao, S., Tang, W., & Yang, X. (2016). Software-defined mobile networks security. Mobile Networks and Applications, 21(5), 729-743. Bojinov, H., Michalevsky, Y., Nakibly, G., & Boneh, D. (2014). Mobile device identification via sensor fingerprinting. arXiv preprint arXiv:1408.1416. He, D., Chan, S., & Guizani, M. (2015). Mobile application security: malware threats and defenses. IEEE Wireless Communications, 22(1), 138-144. Chell, D., Erasmus, T., Colley, S., & Whitehouse, O. (2015). The mobile application hacker's handbook. John Wiley & Sons. Running Head: THREAT MODELLING 1 UNIVERSITY OF MARYLAND UNIVERSITY COLLEGE PROJECT 3: Threat Model October 20, 2017 STEP 1: You need to address the following in your paper. 1. How a particular mobile application of your choosing conforms to mobile architectures 2. asked to describe device-specific features used by the application, wireless transmission protocols, data transmission mediums, interaction with hardware components, and other applications. 3. identify the needs and requirements for application security, computing security, and device management and security. 4. describe the operational environment and use cases, and identify the operating system security and enclave/computing environment security concerns, if there are any. This can be fictional or modeled after a real-world application. 5. Be sure to use APA citation format. This will be part of your final report. I. Introduction Mobile Applications on smartphones have become a strong model of state-of-the-art communication (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). There is need for all organizations that deal directly with clients and have some allowance for e-commerce or emarketing to allow for use of smartphone applications (Chen, Qian, Mao, Tang, & Yang, THREAT MODELLING 2 2016). My company allows its employs the use of IOS, Windows MTobile, Android OS, Serbian, and Blackberry Android interphases on the company’s architectural mobile application. Though there is need for different data handling for each operating system, there has been a good integration, because the main purpose of the application is to sell, order, and view products and advice (Chen, Qian, Mao, Tang, & Yang, 2016). This report looks into the mobile application development and specifically the [what mobile application?]. In additon, the report provides insight to best practices that should be employed by the company based on the independent research. I. Mobile Application Architecture The mobile App selected for our company has the IOS, android and blackberry interphases, that allows for Windows Mobile and Serbian access. The Blackberry is the most secure, but finds little usage. The IOS is relatively secure considering the sophisticated technology used in IOS files encryptions. Android Mobile Apps, on the other hand, use routers to distribute radio waves to multiple users, which utilizes what is called Orthogonal Frequency division multiplexing. The importance to leadership is that users of the data are able to access the database from one point; however, that data is less secure than the previous versions such as the time division multiplexing that divided the signals into time slots and was very slow. It was used with 2G Internet, while the OFDMA is able to breakdown the signal into bandwidths and utilize 4G internet. The OFDMA has increased the mobile App’s through the reduction of guard bands, which is enabled by the orthogonal feature of the application. Meaning what? This application is enabled by the Long Term Evolution technology and is THREAT MODELLING 3 currently the most efficient but less secure than TDM multiplexing (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). The common model of data transmission is radio transmission, which the company uses via Cisco to reach clients countrywide. With the introduction of mobile apps, typical radio transmission is replaced with wireless mobile communications. It can operate across the national boarders but the company has not embraced the overseas markets. With the introduction of mobile applications, there is an increase in vulnerability to the companies overall network, because it is available for downloads and use regardless of the location (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). The wider the scope of the company’s use of mobile apps, the higher the level of vulnerability to the companies overall architectural network, exposing the company’s business and client’s personal data.. The hybrid application used allow for both web and mobile application transmission, making it vulnerable to both web based attacks and mobile app attacks. One feature that makes it less vulnerable is there are minimal user-user interactions, and mostly user to database interactions (Chen, Qian, Mao, Tang, & Yang, 2016). II. Requirements The business function of the application is to allow users access to the company to carry out transactions. It contains banking details and allows the users give specifications of their products (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). THREAT MODELLING The application should continue to use existing algorithm that enables the employees to match the right product to the customers’ requirements, while providing recommendation to further market other products that the company produces. The company shall use Pinterest APIs from which the company has most of its products being marketed. . In addition, during registration, the company should permit clients to select Facebook details from their devices. This is shall be provided in an API that allows the App to read the personal profile, taking email, full names and other details from Facebook. This is, however, available to willing users. However, the mobile architecture will need to be properly secured as this user mobile benefit will increase the threat if Pinterest or Facebook, is insecure, There is a chance that the App user will be vindicated, as this benefit is a major source of spoofing attacks (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). The company should continue to use Secure Sockets Layer virtual private network Virtual private network (SSL VPN), which allows users at home to log into the network through their smartphones as well as the web services. However, the SSL VPN is vulnerable because it can allow for common system file-stem code to be used by a non-client to access the network. Cisco ISA 3000 Industrial Security Appliance used in the company is an SSL VPN system component that is present in the company’s system that is vulnerable to this type of attack. The company handles this vulnerability, by its superior encryption models for data and network access. The company provides a One Time Pin strategy, which is sent to the customer’s phone for authentication of the correct login user details. This requirement should be maintained as is. (Chen, Qian, Mao, Tang, & Yang, 2016). 4 THREAT MODELLING 5 Guest users and non-administrative users should only have access to is their profile and banking details as needed for their use or work. These protocols may only be changed aby the network administrator. The applications may provide the client with a history of their transactions, and other purchase details. This is not seen to be critical to the network. However if client or company data compromised by a hacker or insider actors , which is able to calculate the banking balances, and show some personal banking details, for instance, the Visa Card numbers and full details that can induce a transaction (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). There are issues with IP addresses that need to be addressed. First, there are users of mobile Apps who log into the system on the web as well. This shows multiple use of a single account, identified by the IDS/IPS protocols as an alarm. The system immediately breaks down the communication to the two devices, and the user is requested to log out from one device as from the policies agreed upon in the process of singing up for the mobile App and web services (Chen, Qian, Mao, Tang, & Yang, 2016). Jail breaking is done to give devices the freedom to the download and use Apps from other sources. Apple for instance, has higher restrictions and does not allow the use of applications from other sources but apple store. Jail breaking allows the use of other applications. The main risk is Trojans and malware penetration due to less security. Hackers can follow the new applications and be able to gain access to data from the mobile device. This reduces the use of the mobile device because it cannot be useful in receiving the company’s mobile App, but the users can use their web browsers (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). NEED A LEAD IN STATEMENT TO THE NEXT PARAGRAPH III. Threats and Threat Agents THREAT MODELLING 6 The first threat is the mobile storage of applications, for instance, in memory cards or phone memory, through which the user browses. This makes mobile memory vulnerable to malware, for instance, spear phishing or email spoofing attack. The second threat is adversaries that begin reading content through putty/WinSCP through SSH. This is a threat since WHAT? Another threat is sniffing through a Wi-Fi network. This threat does WHAT? All the aforementioned threats are due to beneficiary’s details. Others include authorizing a malicious application to read phone memory. Another threat is due to the higher chances of devices loss than it is for PCs, meaning that mobile Apps enhance threats agents (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). Another threat that is least likely to be suspected is the organization’s internal employees who have access to client’s personal data, and malicious intentions – the insider threat. These employees are tempted to violate privacy and intellectual property rights of the client. In addition, the company’s network exploits are also a threat to mobile Apps. We know web applications can be attacked through backdoor hosting, and mobile Apps are no exception. Hackers are able to access the data and exploit mobile applications for similar malicious purposes as in other business units of the company’s network (He, Chan, & Guizani, 2015). IV. Methods of Attacks Android devices are the most attacked devices. However, the company’s Information Technology division has set specific protocols that involves protection through isolation, encryption and signatures. THREAT MODELLING 7 Attackers mainly use spear phishing (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). We find in our forensic investigation the users/employees signature can be manipulated by the attacker to access the company’s mobile devices through the use of Trojans. This malware allows the attacker to use existing apps such as email and Google Store to request the user to download more applications that allow for malicious activities. This type of attack can permit the attacker access to existing applications such as the company’s application, whereby, personal information and data of the company’s users, employees, and business transactions can be collected and used by the hacker (He, Chan, & Guizani, 2015). Our independent research shows these same attacks are effective on other mobile devices, e.g., windows mobile, but blackberry android and Apple. The phones do not allow for use of infected applications, and most applications in their stores are kept infection free. However, these two operating systems are mainly subjected to jail breaking. V. Analysis of Threats In the previous section, we investigated that spear phishing is possible with our mobile applications. Our analysis shows this is done through several steps. First, the attacker needs access to the target client. To get this information, the easiest way is to use email or social media. Links that are listed in social media for mobile phones that browse the internet from their memory card or internal memory is clicked. The Trojan is able to embed itself into the memory (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). The Trojan spreads and targets email and sends data back to the attacker. The attacker then sends a file to the client’s email, mainly a disgusting gif file, which, while clicked or exited embeds an application malware to THREAT MODELLING 8 the smartphone. This malware fakes signature and attacks all applications, taking information from the Apps - known as social engineering (He, Chan, & Guizani, 2015). The second method of analysis is network exploits. In network exploits, the hacker accesses to see any loopholes in the our mobile App source code. The loop identified is used to penetrate and conduct backdoor hosting activities. The hacker ensures that they have used the administrative powers of backdoor hosting to shut down any firewalls that will discourage their activities. They are then able to collect any save passwords and usernames to important Apps, including apps that have delicate banking and health information of the mobile user (He, Chan, & Guizani, 2015). Our analysis shows both methods of attack use specific malware to compromise mobile phones. However, we find there is also DDoS and DoS attacks, which mainly use malware. The attacker uses malware after getting backdoor hosting privileges. In most cases the mobile device is frozen as the cyber attacker is carrying their activities. The attackers ensure that the malware does not let the phone switch off buying the hacker time to access all the data on the mobile device’s internal memory card of enterprise data, as well as personal data, which can allow a malicious person access one’s account and retrieve data (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). How VI. Controls The first step to mobile App safety is keeping personal data such as passwords, usernames safe. The data should not be stored for very sensitive applications. Most applications ask the user to store passwords, but it is optional, and not recommended to due possible accessibility by hackers. (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). The user should be ready to THREAT MODELLING 9 enter logins every time they are login into the services. One way an attack can be triggered, as seen is through access of data stored in memory cards, and this data is not stored in the App, but in the memory cards or internal memories adjacent to the application. Best practice, therefore, is not remembering the login details (Chell, Erasmus, Colley, & Whitehouse, 2015). The second way of securing apps from the aforementioned threats is avoiding installation of unwanted applications. Most tempting applications that are not from trusted sources are used by malicious actors to get access of mobile devices. Avoiding applications that are from untrusted sources is a remedy that can prevent malware attacks and backdoor hosting. It protects the other applications and data stored to some extent. The IDS/IPS system should remain as it is: It should never allow users to log in from two devices at a go, because this can be a man-in-the middle attack in a deceptive model (Chell, Erasmus, Colley, & Whitehouse, 2015). For smartphone operating systems such as Apple and Blackberry Android, it is important to stick to the services provided. The process of Jail breaking opens up the mobile device to threats that are curbed by the device if it is jailed to its original operating system (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). It is important to avoid jail breaking because it affects firewalls and malware protection offered by the device. Apple devices using IOS are protected from installations from unknown sources. Android devices, on the other hand, can allow for downloads from unknown sources, but in most cases prompts the user. Android devices should have their settings left to the default that disallows downloads from untrusted sources other than the Google Market (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). VII. Conclusion THREAT MODELLING 10 There are threats that are very common for web based and mobile apps. Some are specific to web based apps, and others are specific to smartphone apps. In most cases, the threats depend on the operating system. Some devices, such as Android and Windows are more vulnerable than Apple and Blackberry Android (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). (new thought new paragraph) Spear Phishing is common with mobile attacks, but other models of attacks such as Man-in-the-Middle attacks are common as well. These attacks aim at collecting data and essential passwords. The company should develop policies that require the users to be cautious with their information. They should also disallow the use of jail broken devices. Users of web services should be advised not to store passwords in their phones’ memories, if they still browse from the same memory slots. The IDS/IPS system should remain as it is: The IDS/IPS should never allow users to log in from two devices at a go, because this can be a man-in-the-middle attack in a deceptive model (Chell, Erasmus, Colley, & Whitehouse, 2015). There is no reference to these screen shots in the report above so they are not needed. If you wish to turn them in separately, each screen must have a title, for example, Screen Shot1: [title] and a one to two sentence description of the screen shot is about. THREAT MODELLING 11 THREAT MODELLING 12 THREAT MODELLING 13 THREAT MODELLING 14 THREAT MODELLING 15 THREAT MODELLING 16 THREAT MODELLING 17 THREAT MODELLING 18 THREAT MODELLING 19 THREAT MODELLING 20 THREAT MODELLING 21 References Chen, M., Qian, Y., Mao, S., Tang, W., & Yang, X. (2016). Software-defined mobile networks security. Mobile Networks and Applications, 21(5), 729-743. Bojinov, H., Michalevsky, Y., Nakibly, G., & Boneh, D. (2014). Mobile device identification via sensor fingerprinting. arXiv preprint arXiv:1408.1416. He, D., Chan, S., & Guizani, M. (2015). Mobile application security: malware threats and defenses. IEEE Wireless Communications, 22(1), 138-144. Chell, D., Erasmus, T., Colley, S., & Whitehouse, O. (2015). The mobile application hacker's handbook. John Wiley & Sons.
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Attached.

Running Head: THREAT MODELLING

1

UNIVERSITY OF MARYLAND UNIVERSITY COLLEGE
PROJECT 3: Threat Model
Arlecia Johnson
CST620
for
Professor Alenka Brown
October 20, 2017
STEP 1: You need to address the following in your paper.
1. How a particular mobile application of your choosing conforms to mobile
architectures
2. asked to describe device-specific features used by the application, wireless
transmission protocols, data transmission mediums, interaction with hardware
components, and other applications.
3. identify the needs and requirements for application security, computing security, and
device management and security.
4. describe the operational environment and use cases, and identify the operating
system security and enclave/computing environment security concerns, if there are
any. This can be fictional or modeled after a real-world application.
5. Be sure to use APA citation format. This will be part of your final report.

THREAT MODELLING

2

I. Introduction
Mobile Applications on smartphones have become a strong model of state-of-the-art
communication (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). There is need for all
organizations that deal directly with clients and have some allowance for e-commerce or emarketing to allow for use of smartphone applications (Chen, Qian, Mao, Tang, & Yang,
2016). My company allows its employs the use of IOS, Windows MTobile, Android OS,
Serbian, and Blackberry Android interphases on the company’s architectural mobile
application.
Though there is need for different data handling for each operating system, there has been a
good integration, because the main purpose of the application is to sell, order, and view
products and advice (Chen, Qian, Mao, Tang, & Yang, 2016). This report looks into the
mobile application development and specifically the [what mobile application?]. In additon,
the report provides insight to best practices that should be employed by the company based on
the independent research.
I.

Mobile Application Architecture

The mobile App selected for our company has the IOS, android and blackberry interphases,
that allows for Windows Mobile and Serbian access. The Blackberry is the most secure,
however, a less desirable mobile device. The mobile iPhone operating system (iOS) is
relatively secure considering the sophisticated technology used in IOS files encryptions.
Android Mobile Apps, on the other hand, use routers to distribute radio waves to multiple
users, which utilizes what is called Orthogonal Frequency division multiplexing. The
importance to leadership is that users of the data are able to access the database from one point;

THREAT MODELLING

3

however, that data is less secure than the previous versions such as the time division
multiplexing that divided the signals into time slots and was very slow.
Orthogonal frequency-division multiplexing was used with 2G Internet, while the
Orthogonal Frequency Division Multiple Access (OFDMA)1 is able to breakdown the signal
into bandwidths and utilize 4G internet. The OFDMA has increased reliability throughout the
mobile application market through the reduction of guard bands2, which is enabled by the
orthogonal feature of the application. Meaning that the application securely enables the Long
Term Evolution technology and is currently the most efficient but less secure than TDM
multiplexing (Bojinov, Michalevsky, Nakibly, & Boneh, 2014).
The common model of data transmission is radio transmission, which the company uses via
Cisco to reach clients countrywide. With the introduction of mobile apps, typical radio
transmission is replaced with wireless mobile communications. It can operate across the
national boarders but the company has not embraced the overseas markets. With the
introduction of mobile applications, there is an increase in vulnerability to the companies
overall network, because it is available for downloads and use regardless of the location
(Bojinov, Michalevsky, Nakibly, & Boneh, 2014).
The wider the scope of the company’s use of mobile apps, the higher the level of
vulnerability to the companies overall architectural network, exposing the company’s business
and client’s personal data.. The hybrid application used allow for both web and mobile
application transmission, making it vulnerable to both web based attacks and mobile app

1
2

A technique for transmitting large amounts of digital data over a radio wave
The unused part of the radio spectrum preventing interface

THREAT MODELLING

4

attacks. One feature that makes it less vulnerable is there are minimal user-user interactions,
and mostly user to database interactions (Chen, Qian, Mao, Tang, & Yang, 2016).

II.

Requirements

The business function of the application is to allow users access to the company to carry out
transactions. It contains banking details and allows the users give specifications of their
products (Bojinov, Michalevsky, Nakibly, & Boneh, 2014).
The application should continue to use existing algorithm that enables the employees to
match the right product to the customers’ requirements, while providing recommendation to
further market other products that the company produces. The company shall use Pinterest
APIs from which the company has most of its products being marketed. .
In addition, during registration, the company should permit clients to select Facebook
details from their devices. This is shall be provided in an API that allows the App to read the
personal profile, taking email, full names and other details from Facebook. This is, however,
available to willing users. However, the mobile architecture will need to be properly secured as
this user mobile benefit will increase the threat if Pinterest or Facebook, is insecure, There is a
chance that the App user will be vindicated, as this benefit is a major source of spoofing attacks
(Bojinov, Michalevsky, Nakibly, & Boneh, 2014).
The company should continue to use Secure Sockets Layer virtual private network Virtual
private network (SSL VPN), which allows users at home to log into the network through their
smartphones as well as the web services. However, the SSL VPN is vulnerable because it can

THREAT MODELLING

5

allow for common system file-stem code to be used by a non-client to access the network.
Cisco ISA 3000 Industrial Security Appliance used in the company is an SSL VPN system
component that is present in the company’s system that is vulnerable to this type of attack. The
company handles this vulnerability, by its superior encryption models for data and network
access. The company provides a One Time Pin strategy, which is sent to the customer’s phone
for authentication of the correct login user details. This requirement should be maintained as
is. (Chen, Qian, Mao, Tang, & Yang, 2016).
Guest users and non-administrative users should only have access to is their profile and
banking details as needed for their ...


Anonymous
Really helped me to better understand my coursework. Super recommended.

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Related Tags