Running Head: THREAT MODELLING
1
UNIVERSITY OF MARYLAND UNIVERSITY COLLEGE
PROJECT 3: Threat Model
Arlecia Johnson
CST620
for
Professor Alenka Brown
October 20, 2017
STEP 1: You need to address the following in your paper.
1. How a particular mobile application of your choosing conforms to mobile
architectures
2. asked to describe device-specific features used by the application, wireless
transmission protocols, data transmission mediums, interaction with hardware
components, and other applications.
3. identify the needs and requirements for application security, computing security, and
device management and security.
4. describe the operational environment and use cases, and identify the operating
system security and enclave/computing environment security concerns, if there are
any. This can be fictional or modeled after a real-world application.
5. Be sure to use APA citation format. This will be part of your final report.
THREAT MODELLING
2
I. Introduction
Mobile Applications on smartphones have become a strong model of state-of-the-art
communication (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). There is need for all
organizations that deal directly with clients and have some allowance for e-commerce or emarketing to allow for use of smartphone applications (Chen, Qian, Mao, Tang, & Yang,
2016). My company allows its employs the use of IOS, Windows MTobile, Android OS,
Serbian, and Blackberry Android interphases on the company’s architectural mobile
application.
Though there is need for different data handling for each operating system, there has been a
good integration, because the main purpose of the application is to sell, order, and view
products and advice (Chen, Qian, Mao, Tang, & Yang, 2016). This report looks into the
mobile application development and specifically the [what mobile application?]. In additon,
the report provides insight to best practices that should be employed by the company based on
the independent research.
I.
Mobile Application Architecture
The mobile App selected for our company has the IOS, android and blackberry interphases,
that allows for Windows Mobile and Serbian access. The Blackberry is the most secure, but
finds little usage.
The IOS is relatively secure considering the sophisticated technology
used in IOS files encryptions. Android Mobile Apps, on the other hand, use routers to distribute
radio waves to multiple users, which utilizes what is called Orthogonal Frequency division
multiplexing. The importance to leadership is that users of the data are able to access the
THREAT MODELLING
database from one point; however, that data is less secure than the previous versions such as the
time division multiplexing that divided the signals into time slots and was very slow.
It was used with 2G Internet, while the OFDMA is able to breakdown the signal into
bandwidths and utilize 4G internet. The OFDMA has increased the mobile App’s through the
reduction of guard bands, which is enabled by the orthogonal feature of the application.
Meaning what? This application is enabled by the Long Term Evolution technology and is
currently the most efficient but less secure than TDM multiplexing (Bojinov, Michalevsky,
Nakibly, & Boneh, 2014).
The common model of data transmission is radio transmission, which the company uses via
Cisco to reach clients countrywide. With the introduction of mobile apps, typical radio
transmission is replaced with wireless mobile communications. It can operate across the
national boarders but the company has not embraced the overseas markets. With the
introduction of mobile applications, there is an increase in vulnerability to the companies
overall network, because it is available for downloads and use regardless of the location
(Bojinov, Michalevsky, Nakibly, & Boneh, 2014).
The wider the scope of the company’s use of mobile apps, the higher the level of
vulnerability to the companies overall architectural network, exposing the company’s business
and client’s personal data.. The hybrid application used allow for both web and mobile
application transmission, making it vulnerable to both web based attacks and mobile app
attacks. One feature that makes it less vulnerable is there are minimal user-user interactions,
and mostly user to database interactions (Chen, Qian, Mao, Tang, & Yang, 2016).
3
THREAT MODELLING
4
II.
Requirements
The business function of the application is to allow users access to the company to carry out
transactions. It contains banking details and allows the users give specifications of their
products (Bojinov, Michalevsky, Nakibly, & Boneh, 2014).
The application should continue to use existing algorithm that enables the employees to
match the right product to the customers’ requirements, while providing recommendation to
further market other products that the company produces. The company shall use Pinterest
APIs from which the company has most of its products being marketed. .
In addition, during registration, the company should permit clients to select Facebook
details from their devices. This is shall be provided in an API that allows the App to read the
personal profile, taking email, full names and other details from Facebook. This is, however,
available to willing users. However, the mobile architecture will need to be properly secured as
this user mobile benefit will increase the threat if Pinterest or Facebook, is insecure, There is a
chance that the App user will be vindicated, as this benefit is a major source of spoofing attacks
(Bojinov, Michalevsky, Nakibly, & Boneh, 2014).
The company should continue to use Secure Sockets Layer virtual private network Virtual
private network (SSL VPN), which allows users at home to log into the network through their
smartphones as well as the web services. However, the SSL VPN is vulnerable because it can
allow for common system file-stem code to be used by a non-client to access the network.
Cisco ISA 3000 Industrial Security Appliance used in the company is an SSL VPN system
component that is present in the company’s system that is vulnerable to this type of attack. The
company handles this vulnerability, by its superior encryption models for data and network
THREAT MODELLING
access. The company provides a One Time Pin strategy, which is sent to the customer’s phone
for authentication of the correct login user details. This requirement should be maintained as
is. (Chen, Qian, Mao, Tang, & Yang, 2016).
Guest users and non-administrative users should only have access to is their profile and
banking details as needed for their use or work. These protocols may only be changed aby the
network administrator.
The applications may provide the client with a history of their transactions, and other
purchase details. This is not seen to be critical to the network. However if client or company
data compromised by a hacker or insider actors , which is able to calculate the banking
balances, and show some personal banking details, for instance, the Visa Card numbers and full
details that can induce a transaction (Bojinov, Michalevsky, Nakibly, & Boneh, 2014).
There are issues with IP addresses that need to be addressed. First, there are users of mobile
Apps who log into the system on the web as well. This shows multiple use of a single account,
identified by the IDS/IPS protocols as an alarm. The system immediately breaks down the
communication to the two devices, and the user is requested to log out from one device as from
the policies agreed upon in the process of singing up for the mobile App and web services
(Chen, Qian, Mao, Tang, & Yang, 2016).
Jail breaking is done to give devices the freedom to the download and use Apps from other
sources. Apple for instance, has higher restrictions and does not allow the use of applications
from other sources but apple store. Jail breaking allows the use of other applications. The main
risk is Trojans and malware penetration due to less security. Hackers can follow the new
applications and be able to gain access to data from the mobile device. This reduces the use of
5
THREAT MODELLING
6
the mobile device because it cannot be useful in receiving the company’s mobile App, but the
users can use their web browsers (Bojinov, Michalevsky, Nakibly, & Boneh, 2014).
NEED A LEAD IN STATEMENT TO THE NEXT PARAGRAPH
III.
Threats and Threat Agents
The first threat is the mobile storage of applications, for instance, in memory cards or phone
memory, through which the user browses. This makes mobile memory vulnerable to malware,
for instance, spear phishing or email spoofing attack.
The second threat is adversaries that begin reading content through putty/WinSCP through
SSH. This is a threat since WHAT?
Another threat is sniffing through a Wi-Fi network. This threat does WHAT?
All the aforementioned threats are due to beneficiary’s details. Others include authorizing a
malicious application to read phone memory. Another threat is due to the higher chances of
devices loss than it is for PCs, meaning that mobile Apps enhance threats agents (Bojinov,
Michalevsky, Nakibly, & Boneh, 2014).
Another threat that is least likely to be suspected is the organization’s internal employees
who have access to client’s personal data, and malicious intentions – the insider threat. These
employees are tempted to violate privacy and intellectual property rights of the client. In
addition, the company’s network exploits are also a threat to mobile Apps. We know web
applications can be attacked through backdoor hosting, and mobile Apps are no exception.
Hackers are able to access the data and exploit mobile applications for similar malicious
purposes as in other business units of the company’s network (He, Chan, & Guizani, 2015).
THREAT MODELLING
7
IV.
Methods of Attacks
Android devices are the most attacked devices. However, the company’s Information
Technology division has set specific protocols that involves protection through isolation,
encryption and signatures.
Attackers mainly use spear phishing (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). We
find in our forensic investigation the users/employees signature can be manipulated by the
attacker to access the company’s mobile devices through the use of Trojans. This malware
allows the attacker to use existing apps such as email and Google Store to request the user to
download more applications that allow for malicious activities. This type of attack can permit
the attacker access to existing applications such as the company’s application, whereby,
personal information and data of the company’s users, employees, and business transactions
can be collected and used by the hacker (He, Chan, & Guizani, 2015).
Our independent research shows these same attacks are effective on other mobile
devices, e.g., windows mobile, but blackberry android and Apple. The phones do not allow for
use of infected applications, and most applications in their stores are kept infection free.
However, these two operating systems are mainly subjected to jail breaking.
V.
Analysis of Threats
In the previous section, we investigated that spear phishing is possible with our mobile
applications. Our analysis shows this is done through several steps. First, the attacker needs
access to the target client. To get this information, the easiest way is to use email or social
THREAT MODELLING
media. Links that are listed in social media for mobile phones that browse the internet from
their memory card or internal memory is clicked. The Trojan is able to embed itself into the
memory (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). The Trojan spreads and targets
email and sends data back to the attacker. The attacker then sends a file to the client’s email,
mainly a disgusting gif file, which, while clicked or exited embeds an application malware to
the smartphone. This malware fakes signature and attacks all applications, taking information
from the Apps - known as social engineering (He, Chan, & Guizani, 2015).
The second method of analysis is network exploits. In network exploits, the hacker accesses
to see any loopholes in the our mobile App source code. The loop identified is used to penetrate
and conduct backdoor hosting activities. The hacker ensures that they have used the
administrative powers of backdoor hosting to shut down any firewalls that will discourage their
activities. They are then able to collect any save passwords and usernames to important Apps,
including apps that have delicate banking and health information of the mobile user (He, Chan,
& Guizani, 2015).
Our analysis shows both methods of attack use specific malware to compromise mobile
phones. However, we find there is also DDoS and DoS attacks, which mainly use malware. The
attacker uses malware after getting backdoor hosting privileges. In most cases the mobile
device is frozen as the cyber attacker is carrying their activities. The attackers ensure that the
malware does not let the phone switch off buying the hacker time to access all the data on the
mobile device’s internal memory card of enterprise data, as well as personal data, which can
allow a malicious person access one’s account and retrieve data (Bojinov, Michalevsky,
Nakibly, & Boneh, 2014). How
8
THREAT MODELLING
9
VI.
Controls
The first step to mobile App safety is keeping personal data such as passwords, usernames
safe. The data should not be stored for very sensitive applications. Most applications ask the
user to store passwords, but it is optional, and not recommended to due possible accessibility
by hackers. (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). The user should be ready to
enter logins every time they are login into the services. One way an attack can be triggered, as
seen is through access of data stored in memory cards, and this data is not stored in the App,
but in the memory cards or internal memories adjacent to the application. Best practice,
therefore, is not remembering the login details (Chell, Erasmus, Colley, & Whitehouse, 2015).
The second way of securing apps from the aforementioned threats is avoiding installation of
unwanted applications. Most tempting applications that are not from trusted sources are used by
malicious actors to get access of mobile devices. Avoiding applications that are from untrusted
sources is a remedy that can prevent malware attacks and backdoor hosting. It protects the other
applications and data stored to some extent. The IDS/IPS system should remain as it is: It
should never allow users to log in from two devices at a go, because this can be a man-in-the
middle attack in a deceptive model (Chell, Erasmus, Colley, & Whitehouse, 2015).
For smartphone operating systems such as Apple and Blackberry Android, it is important to
stick to the services provided. The process of Jail breaking opens up the mobile device to
threats that are curbed by the device if it is jailed to its original operating system (Bojinov,
Michalevsky, Nakibly, & Boneh, 2014). It is important to avoid jail breaking because it affects
firewalls and malware protection offered by the device. Apple devices using IOS are protected
from installations from unknown sources. Android devices, on the other hand, can allow for
THREAT MODELLING
10
downloads from unknown sources, but in most cases prompts the user. Android devices should
have their settings left to the default that disallows downloads from untrusted sources other
than the Google Market (Bojinov, Michalevsky, Nakibly, & Boneh, 2014).
VII.
Conclusion
There are threats that are very common for web based and mobile apps. Some are specific
to web based apps, and others are specific to smartphone apps. In most cases, the threats
depend on the operating system. Some devices, such as Android and Windows are more
vulnerable than Apple and Blackberry Android (Bojinov, Michalevsky, Nakibly, & Boneh,
2014).
(new thought new paragraph) Spear Phishing is common with mobile attacks, but other
models of attacks such as Man-in-the-Middle attacks are common as well. These attacks aim at
collecting data and essential passwords.
The company should develop policies that require the users to be cautious with their
information. They should also disallow the use of jail broken devices. Users of web services
should be advised not to store passwords in their phones’ memories, if they still browse from
the same memory slots. The IDS/IPS system should remain as it is: The IDS/IPS should never
allow users to log in from two devices at a go, because this can be a man-in-the-middle attack
in a deceptive model (Chell, Erasmus, Colley, & Whitehouse, 2015).
THREAT MODELLING
11
There is no reference to these screen shots in the report above so they are not needed. If you
wish to turn them in separately, each screen must have a title, for example, Screen Shot1: [title]
and a one to two sentence description of the screen shot is about.
THREAT MODELLING
12
THREAT MODELLING
13
THREAT MODELLING
14
THREAT MODELLING
15
THREAT MODELLING
16
THREAT MODELLING
17
THREAT MODELLING
18
THREAT MODELLING
19
THREAT MODELLING
20
THREAT MODELLING
21
THREAT MODELLING
22
References
Chen, M., Qian, Y., Mao, S., Tang, W., & Yang, X. (2016). Software-defined mobile networks
security. Mobile Networks and Applications, 21(5), 729-743.
Bojinov, H., Michalevsky, Y., Nakibly, G., & Boneh, D. (2014). Mobile device identification
via sensor fingerprinting. arXiv preprint arXiv:1408.1416.
He, D., Chan, S., & Guizani, M. (2015). Mobile application security: malware threats and
defenses. IEEE Wireless Communications, 22(1), 138-144.
Chell, D., Erasmus, T., Colley, S., & Whitehouse, O. (2015). The mobile application hacker's
handbook. John Wiley & Sons.
Running Head: THREAT MODELLING
1
UNIVERSITY OF MARYLAND UNIVERSITY COLLEGE
PROJECT 3: Threat Model
October 20, 2017
STEP 1: You need to address the following in your paper.
1. How a particular mobile application of your choosing conforms to mobile
architectures
2. asked to describe device-specific features used by the application, wireless
transmission protocols, data transmission mediums, interaction with hardware
components, and other applications.
3. identify the needs and requirements for application security, computing security, and
device management and security.
4. describe the operational environment and use cases, and identify the operating
system security and enclave/computing environment security concerns, if there are
any. This can be fictional or modeled after a real-world application.
5. Be sure to use APA citation format. This will be part of your final report.
I. Introduction
Mobile Applications on smartphones have become a strong model of state-of-the-art
communication (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). There is need for all
organizations that deal directly with clients and have some allowance for e-commerce or emarketing to allow for use of smartphone applications (Chen, Qian, Mao, Tang, & Yang,
THREAT MODELLING
2
2016). My company allows its employs the use of IOS, Windows MTobile, Android OS,
Serbian, and Blackberry Android interphases on the company’s architectural mobile
application.
Though there is need for different data handling for each operating system, there has been a
good integration, because the main purpose of the application is to sell, order, and view
products and advice (Chen, Qian, Mao, Tang, & Yang, 2016). This report looks into the
mobile application development and specifically the [what mobile application?]. In additon,
the report provides insight to best practices that should be employed by the company based on
the independent research.
I.
Mobile Application Architecture
The mobile App selected for our company has the IOS, android and blackberry interphases,
that allows for Windows Mobile and Serbian access. The Blackberry is the most secure, but
finds little usage.
The IOS is relatively secure considering the sophisticated technology
used in IOS files encryptions. Android Mobile Apps, on the other hand, use routers to distribute
radio waves to multiple users, which utilizes what is called Orthogonal Frequency division
multiplexing. The importance to leadership is that users of the data are able to access the
database from one point; however, that data is less secure than the previous versions such as the
time division multiplexing that divided the signals into time slots and was very slow.
It was used with 2G Internet, while the OFDMA is able to breakdown the signal into
bandwidths and utilize 4G internet. The OFDMA has increased the mobile App’s through the
reduction of guard bands, which is enabled by the orthogonal feature of the application.
Meaning what? This application is enabled by the Long Term Evolution technology and is
THREAT MODELLING
3
currently the most efficient but less secure than TDM multiplexing (Bojinov, Michalevsky,
Nakibly, & Boneh, 2014).
The common model of data transmission is radio transmission, which the company uses via
Cisco to reach clients countrywide. With the introduction of mobile apps, typical radio
transmission is replaced with wireless mobile communications. It can operate across the
national boarders but the company has not embraced the overseas markets. With the
introduction of mobile applications, there is an increase in vulnerability to the companies
overall network, because it is available for downloads and use regardless of the location
(Bojinov, Michalevsky, Nakibly, & Boneh, 2014).
The wider the scope of the company’s use of mobile apps, the higher the level of
vulnerability to the companies overall architectural network, exposing the company’s business
and client’s personal data.. The hybrid application used allow for both web and mobile
application transmission, making it vulnerable to both web based attacks and mobile app
attacks. One feature that makes it less vulnerable is there are minimal user-user interactions,
and mostly user to database interactions (Chen, Qian, Mao, Tang, & Yang, 2016).
II.
Requirements
The business function of the application is to allow users access to the company to carry out
transactions. It contains banking details and allows the users give specifications of their
products (Bojinov, Michalevsky, Nakibly, & Boneh, 2014).
THREAT MODELLING
The application should continue to use existing algorithm that enables the employees to
match the right product to the customers’ requirements, while providing recommendation to
further market other products that the company produces. The company shall use Pinterest
APIs from which the company has most of its products being marketed. .
In addition, during registration, the company should permit clients to select Facebook
details from their devices. This is shall be provided in an API that allows the App to read the
personal profile, taking email, full names and other details from Facebook. This is, however,
available to willing users. However, the mobile architecture will need to be properly secured as
this user mobile benefit will increase the threat if Pinterest or Facebook, is insecure, There is a
chance that the App user will be vindicated, as this benefit is a major source of spoofing attacks
(Bojinov, Michalevsky, Nakibly, & Boneh, 2014).
The company should continue to use Secure Sockets Layer virtual private network Virtual
private network (SSL VPN), which allows users at home to log into the network through their
smartphones as well as the web services. However, the SSL VPN is vulnerable because it can
allow for common system file-stem code to be used by a non-client to access the network.
Cisco ISA 3000 Industrial Security Appliance used in the company is an SSL VPN system
component that is present in the company’s system that is vulnerable to this type of attack. The
company handles this vulnerability, by its superior encryption models for data and network
access. The company provides a One Time Pin strategy, which is sent to the customer’s phone
for authentication of the correct login user details. This requirement should be maintained as
is. (Chen, Qian, Mao, Tang, & Yang, 2016).
4
THREAT MODELLING
5
Guest users and non-administrative users should only have access to is their profile and
banking details as needed for their use or work. These protocols may only be changed aby the
network administrator.
The applications may provide the client with a history of their transactions, and other
purchase details. This is not seen to be critical to the network. However if client or company
data compromised by a hacker or insider actors , which is able to calculate the banking
balances, and show some personal banking details, for instance, the Visa Card numbers and full
details that can induce a transaction (Bojinov, Michalevsky, Nakibly, & Boneh, 2014).
There are issues with IP addresses that need to be addressed. First, there are users of mobile
Apps who log into the system on the web as well. This shows multiple use of a single account,
identified by the IDS/IPS protocols as an alarm. The system immediately breaks down the
communication to the two devices, and the user is requested to log out from one device as from
the policies agreed upon in the process of singing up for the mobile App and web services
(Chen, Qian, Mao, Tang, & Yang, 2016).
Jail breaking is done to give devices the freedom to the download and use Apps from other
sources. Apple for instance, has higher restrictions and does not allow the use of applications
from other sources but apple store. Jail breaking allows the use of other applications. The main
risk is Trojans and malware penetration due to less security. Hackers can follow the new
applications and be able to gain access to data from the mobile device. This reduces the use of
the mobile device because it cannot be useful in receiving the company’s mobile App, but the
users can use their web browsers (Bojinov, Michalevsky, Nakibly, & Boneh, 2014).
NEED A LEAD IN STATEMENT TO THE NEXT PARAGRAPH
III.
Threats and Threat Agents
THREAT MODELLING
6
The first threat is the mobile storage of applications, for instance, in memory cards or phone
memory, through which the user browses. This makes mobile memory vulnerable to malware,
for instance, spear phishing or email spoofing attack.
The second threat is adversaries that begin reading content through putty/WinSCP through
SSH. This is a threat since WHAT?
Another threat is sniffing through a Wi-Fi network. This threat does WHAT?
All the aforementioned threats are due to beneficiary’s details. Others include authorizing a
malicious application to read phone memory. Another threat is due to the higher chances of
devices loss than it is for PCs, meaning that mobile Apps enhance threats agents (Bojinov,
Michalevsky, Nakibly, & Boneh, 2014).
Another threat that is least likely to be suspected is the organization’s internal employees
who have access to client’s personal data, and malicious intentions – the insider threat. These
employees are tempted to violate privacy and intellectual property rights of the client. In
addition, the company’s network exploits are also a threat to mobile Apps. We know web
applications can be attacked through backdoor hosting, and mobile Apps are no exception.
Hackers are able to access the data and exploit mobile applications for similar malicious
purposes as in other business units of the company’s network (He, Chan, & Guizani, 2015).
IV.
Methods of Attacks
Android devices are the most attacked devices. However, the company’s Information
Technology division has set specific protocols that involves protection through isolation,
encryption and signatures.
THREAT MODELLING
7
Attackers mainly use spear phishing (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). We
find in our forensic investigation the users/employees signature can be manipulated by the
attacker to access the company’s mobile devices through the use of Trojans. This malware
allows the attacker to use existing apps such as email and Google Store to request the user to
download more applications that allow for malicious activities. This type of attack can permit
the attacker access to existing applications such as the company’s application, whereby,
personal information and data of the company’s users, employees, and business transactions
can be collected and used by the hacker (He, Chan, & Guizani, 2015).
Our independent research shows these same attacks are effective on other mobile
devices, e.g., windows mobile, but blackberry android and Apple. The phones do not allow for
use of infected applications, and most applications in their stores are kept infection free.
However, these two operating systems are mainly subjected to jail breaking.
V.
Analysis of Threats
In the previous section, we investigated that spear phishing is possible with our mobile
applications. Our analysis shows this is done through several steps. First, the attacker needs
access to the target client. To get this information, the easiest way is to use email or social
media. Links that are listed in social media for mobile phones that browse the internet from
their memory card or internal memory is clicked. The Trojan is able to embed itself into the
memory (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). The Trojan spreads and targets
email and sends data back to the attacker. The attacker then sends a file to the client’s email,
mainly a disgusting gif file, which, while clicked or exited embeds an application malware to
THREAT MODELLING
8
the smartphone. This malware fakes signature and attacks all applications, taking information
from the Apps - known as social engineering (He, Chan, & Guizani, 2015).
The second method of analysis is network exploits. In network exploits, the hacker accesses
to see any loopholes in the our mobile App source code. The loop identified is used to penetrate
and conduct backdoor hosting activities. The hacker ensures that they have used the
administrative powers of backdoor hosting to shut down any firewalls that will discourage their
activities. They are then able to collect any save passwords and usernames to important Apps,
including apps that have delicate banking and health information of the mobile user (He, Chan,
& Guizani, 2015).
Our analysis shows both methods of attack use specific malware to compromise mobile
phones. However, we find there is also DDoS and DoS attacks, which mainly use malware. The
attacker uses malware after getting backdoor hosting privileges. In most cases the mobile
device is frozen as the cyber attacker is carrying their activities. The attackers ensure that the
malware does not let the phone switch off buying the hacker time to access all the data on the
mobile device’s internal memory card of enterprise data, as well as personal data, which can
allow a malicious person access one’s account and retrieve data (Bojinov, Michalevsky,
Nakibly, & Boneh, 2014). How
VI.
Controls
The first step to mobile App safety is keeping personal data such as passwords, usernames
safe. The data should not be stored for very sensitive applications. Most applications ask the
user to store passwords, but it is optional, and not recommended to due possible accessibility
by hackers. (Bojinov, Michalevsky, Nakibly, & Boneh, 2014). The user should be ready to
THREAT MODELLING
9
enter logins every time they are login into the services. One way an attack can be triggered, as
seen is through access of data stored in memory cards, and this data is not stored in the App,
but in the memory cards or internal memories adjacent to the application. Best practice,
therefore, is not remembering the login details (Chell, Erasmus, Colley, & Whitehouse, 2015).
The second way of securing apps from the aforementioned threats is avoiding installation of
unwanted applications. Most tempting applications that are not from trusted sources are used by
malicious actors to get access of mobile devices. Avoiding applications that are from untrusted
sources is a remedy that can prevent malware attacks and backdoor hosting. It protects the other
applications and data stored to some extent. The IDS/IPS system should remain as it is: It
should never allow users to log in from two devices at a go, because this can be a man-in-the
middle attack in a deceptive model (Chell, Erasmus, Colley, & Whitehouse, 2015).
For smartphone operating systems such as Apple and Blackberry Android, it is important to
stick to the services provided. The process of Jail breaking opens up the mobile device to
threats that are curbed by the device if it is jailed to its original operating system (Bojinov,
Michalevsky, Nakibly, & Boneh, 2014). It is important to avoid jail breaking because it affects
firewalls and malware protection offered by the device. Apple devices using IOS are protected
from installations from unknown sources. Android devices, on the other hand, can allow for
downloads from unknown sources, but in most cases prompts the user. Android devices should
have their settings left to the default that disallows downloads from untrusted sources other
than the Google Market (Bojinov, Michalevsky, Nakibly, & Boneh, 2014).
VII.
Conclusion
THREAT MODELLING
10
There are threats that are very common for web based and mobile apps. Some are specific
to web based apps, and others are specific to smartphone apps. In most cases, the threats
depend on the operating system. Some devices, such as Android and Windows are more
vulnerable than Apple and Blackberry Android (Bojinov, Michalevsky, Nakibly, & Boneh,
2014).
(new thought new paragraph) Spear Phishing is common with mobile attacks, but other
models of attacks such as Man-in-the-Middle attacks are common as well. These attacks aim at
collecting data and essential passwords.
The company should develop policies that require the users to be cautious with their
information. They should also disallow the use of jail broken devices. Users of web services
should be advised not to store passwords in their phones’ memories, if they still browse from
the same memory slots. The IDS/IPS system should remain as it is: The IDS/IPS should never
allow users to log in from two devices at a go, because this can be a man-in-the-middle attack
in a deceptive model (Chell, Erasmus, Colley, & Whitehouse, 2015).
There is no reference to these screen shots in the report above so they are not needed. If you
wish to turn them in separately, each screen must have a title, for example, Screen Shot1: [title]
and a one to two sentence description of the screen shot is about.
THREAT MODELLING
11
THREAT MODELLING
12
THREAT MODELLING
13
THREAT MODELLING
14
THREAT MODELLING
15
THREAT MODELLING
16
THREAT MODELLING
17
THREAT MODELLING
18
THREAT MODELLING
19
THREAT MODELLING
20
THREAT MODELLING
21
References
Chen, M., Qian, Y., Mao, S., Tang, W., & Yang, X. (2016). Software-defined mobile networks
security. Mobile Networks and Applications, 21(5), 729-743.
Bojinov, H., Michalevsky, Y., Nakibly, G., & Boneh, D. (2014). Mobile device identification
via sensor fingerprinting. arXiv preprint arXiv:1408.1416.
He, D., Chan, S., & Guizani, M. (2015). Mobile application security: malware threats and
defenses. IEEE Wireless Communications, 22(1), 138-144.
Chell, D., Erasmus, T., Colley, S., & Whitehouse, O. (2015). The mobile application hacker's
handbook. John Wiley & Sons.
Purchase answer to see full
attachment