A Survey of Mobile Database Security Threats and Solutions for It

Parviz Ghorbanzadeh
Computer Department Urmia University of Technology Urmia, Iran P.ghorbanzadeh@gmail.com

Aytak shaddeli
Computer Department Urmia University of Technology Urmia, Iran A_shaddeli@yahoo.com

Roghieh Malekzadeh
Computer Department Urmia University of Technology Urmia, Iran Roghieh.malekzadeh@gmail.com
Abstract This article show different mobile database security threats that may be occurs for mobile database in the real world and gives possible solution to eliminate them. Mobile database is a specialized class of distributed systems. There are security challenges due to the distributed nature of the mobile database application and the hardware constraints of mobile devices. In this document, we will deals with the subject of security in four fields. These four areas include: Security of mobile device, security of operating system on mobile device, security of mobile database and security of mobile network. We identify a set of security vulnerabilities on mobile database and try to apply appropriate technique to decrease side affect for mobile database security. Important security issues for mobile device, mobile operating system and mobile network that maybe affect on mobile database security are discussed along with possible solution. Finally, for more security, this paper offers a comprehensive solution that may be applied to distributed database. Keywords- Mobile database security; security vulnerabilities; distributed database

Zoleikha Jahanbakhsh
Computer Department Urmia University of Technology Urmia, Iran Z_jahanbakhsh2003@yahoo.com proposed for one of the security issues. First, security issues divided to four fields that they are important from many aspects. Mobile device, operating system on mobile device, mobile database and mobile network are four fields that we will discuss security issues. The integrated presentation is important to Researchers and developer to understand the problem domain effectively and probably propose more secure mechanisms in the future. The objective of this paper is to conduct a Comprehensive survey on existing security mechanisms and explore disadvantage security of them. In addition, a recommendation for any security issue is also provided. The rest of the paper is organized to offer a possible Solution for distributed database and apply appropriate techniques to satisfy the corresponding security requirements. II. MOBILE DEVICE AND WINDOWS MOBILE DEVICE SECURITY

I.

INTRODUCTION

The purpose of this document is to provide information to users and organizations on the security capabilities of Worldwide Interoperability for mobile database system and provide recommendations on securing mobile database technologies effectively to users and organizations employing them. Security support is mandatory for any database system. For mobile database systems, security support is even more important to protect the users and devices as well as the database. In mobile communication, since wireless medium is available to all, the attackers can easily access the network and the database becomes more vulnerable for the user and the central computer that located distributed database on it. In the existing research, there is lack of integrated presentation of solutions to all the security issues of mobile database system, which is important for researchers and developers of mobile database. This paper discusses all the security issues in both mobile database system and mobile network and discusses their solutions. In addition, a new recommendation is also

Security is an important topic for Windows Mobile Application Developers. Depending on the security configuration of particular devices, applications might need to be signed with either a privileged or unprivileged certificate. Besides signing applications, it is also important to understand the impact of executing applications on 1-tier and 2-tier secure devices. Especially on a 2-tier security configuration, unprivileged and unsigned applications have restricted access to device resources. Windows Mobile devices Security model summarized as follow: 1) Application execution security: Applies to code execution. Controls the applications that can run on the device. Controls what applications can do. 2) Device configuration security: Applies to device management security. Controls that can access to specific device settings. Controls the level of access to device settings.

676

3) Remote access security: Remote API (RAPI) control through ActiveSync. Controls what desktop applications can do on the device.

A. Applocation Execution Permissions Depending on the security configuration of a particular Windows Mobile device, applications might be allowed to run or might be blocked from execution on the device. The following application execution permissions are defined for Windows Mobile devices: x Privileged: The application can do everything on the device, has full write access to the file system and to the system Registry, and is also allowed to install certificates that might allow other applications to run on a particular Windows Mobile device. Normal: The application is restricted in its execution; it cannot call trusted Win32 APIs, write to protected areas of the Registry, write to system files, or install certificates. Blocked: The application is not allowed to execute at all. x

Security off :In this policy unsigned applications are allowed to run without prompting the user. The security off policy is a one-tier policy. The security off policy is the default configuration. A device configured with the security off policy is extremely venerable because the device can install malicious applications without your knowledge and those applications have unrestricted access to the device. One-tier prompt: This policy allows signed applications to execute; the device prompts the user before executing unsigned applications. Once an application is executing, it has no restriction on permissions. This is true for both signed and unsigned applications. Two-tier prompt: This policy allows signed applications to execute; the device prompts the user before executing unsigned applications. If the user allows an unsigned application to execute, the application executes with normal permissions. Signed application executes with normal or privileged permissions. Mobile2Market locked: Applications that are signed can execute; users are not prompted to execute unsigned applications. These unsigned applications simply cannot execute. Once the application is executing, the permissions are determined by whether the application is signed with a certificate from the privileged certificate store or the normal certificate store.

Different access levels determine what an unsigned application is allowed to do on a Windows Mobile device. These different access levels are called tiers. The security policy of a particular device determines just how that particular device handles the issues of application signatures and permissions. The first part of the security policy is the device security tiers; devices can have one-tier or two-tier security. A device with one-tier security focuses only on whether an application is signed; there is no concept of permission restrictions in one-tier security. Under one-tier security, any running application can call any API, modify any part of the file system and modify any part of the registry. One-tier security only restricts application startup. Signed applications can execute with no further checks; unsigned applications require further policy checks to determine if they can run. Two-tier security restricts both application startup and application run-time permissions. On a device with two-tier security, signed applications can execute with no further checks, unsigned applications require further policy checks to determine if they can run. At run-time, two-tier security restricts an applications access to the APIs, registry, and file system based on the permissions associated with the certificate the application is signed with. Applications signed with a certificate from the privilege certificate store execute with privileged permissions, all other applications run with normal permissions. The next two parts of the security policy are closely tied together: whether unsigned applications can execute and whether the user should be prompted before the unsigned application executes These three security settings create four common security policies:

The security policy settings are stored in the secure part of the device registry. Without persistent storage, if the Windows Mobile device's battery dies, settings revert to the default security settings in ROM when the device is powered again. With persistent storage, if the Windows Mobile device's battery dies, then the security settings will remain unchanged when the device is powered again. When the device is coldbooted manually by the user, the persistent store and all program and user data is erased, reverting to what was flashed into ROM. B. On-Device Security Policies Device-level security involves managing who has access to a device and its data, controlling which applications can run on the device, and establishing how data is transmitted to and from the device. User access is managed through a PIN or password authentication. A device can be set to lock automatically after a period of inactivity or after being turned off, requiring a user to unlock the device again to use it . C. Best Security Practices for Windows Mobile Devices x Set the RAPI policy to restricted mode whenever other security policies restrict access to the device. x Prompt the user before running normal applications. Microsoft highly recommended that you keep the User Prompt mode on for unsigned application for all Windows Mobile devices.

677

Assign unsigned themes with a security role of User Unauthenticated. Microsoft highly recommends that you keep the Unsigned Theme policy the SECROLE_USER_UNAUTH security role. This is the default setting. Keep your Bluetooth off. Users can enable Mobile Encryption through the Encryption Control Panel Application (CPA) which is available on under Settings > Security. Devices corrupt deleted information on memory cards to prevent access to it.
TABLE I. PROTECTION AGAINST THREATS AND RISKS [4] Windows Mobile 6 Security Features Device lock requires a password or PIN to access the device when it is turned on Local and remote device wipe occurs after a specified number of incorrect login attempts Local and remote storage card wipe erases data and helps to prevent unauthorized use Storage card encryption helps to prevent unauthorized use Custom Local Authentication Subsystem (LAS) and Local Authentication Plug-in (LAP) provide the infrastructure for authentication by sophisticated third-party hardware and software methods. Password policy enforcement, such as required password for synchronization Flexible client authentication: SSL TLS, Exchange ActiveSync, Certificate-based, RSA SecurIDprotected Users can add root certificates without compromising device management security and without being a manager of the device Security policies help to control over-the-air access to device Bluetooth discovery mode can be prohibited to help guard device integrity (Supported in Windows Mobile 6 Standard only) Security policies help control acceptance of unsigned attachments, applications, or files Attachments for download can be denied or sizerestricted Office Mobile applications do not support macros, so viruses cannot leverage them to do damage Code execution control allows the device to be locked so that only applications signed with a trusted certificate can run

security and integrity across the multiple nodes. Requirements for database management systems are: x Multi-Level Access Control x x x x x authentication Confidentiality Reliability Integrity Recovery

x x

Threat or Risk

Mobile database is a specialized class of distributed systems where some nodes can disengage from joint distributed operations, move from the cell serviced by one base station to that serviced by another base station to make continuous connected operation possible. Mobile databases can be distributed under two possible scenarios: 1. The entire database is distributed mainly among the wired components, possibly with full or partial replication. 2. The database is distributed among wired and wireless components. Data management responsibility is shared among base stations and mobile units.

Access to data because of device theft or loss

Unauthorized penetration into corporate network

Unauthorized penetration into mobile device

Device corruption

Malicious software or viruses on mobile devices

B. Problems, Security challenges and Solutions for mobile distributed database Some of the software problems in distributed database systems may involve data management, transaction management, and database recovery. In mobile computing, however, these problems are more difficult, mainly because of the limited and intermittent connectivity afforded by wireless communications, the limited life of the power supply (battery) of mobile units, and the changing topology of the network. Therefore, it is necessary to manage data on the mobile unit that such disconnected operation is possible. In the case of a mobile database application that it is a distributed database, there are security challenges due to the distributed nature of the application and the hardware constraints of mobile devices. The major issues in multilevel security on Distributed Security Manager are authentication, data confidentiality, identification and enforcing appropriate access controls. 1) Authentication. User authentication is the primary line of defence for mobile and handheld devices such as Personal Digital Assistants (PDAs). Authentication determines and verifies the identity of a user in the system, i.e., providing an answer to the question: Who is the user? Traditional authentication mechanisms rely on maintaining a centralized database of user identities, making it difficult to authenticate users in a different administrative domain as depicted [5]. This mechanism for providing security in mobile device is a difficulty for every system providing safe access to precious, private information, or personalized services. Issue here is the authentication mechanism should be distributed, and the various components of the authenticator need to communicate

III.

SECURITY OF MOBILE DATABASE

A. Distributed Databases A distributed database system includes a distributed database management system (DDBMS), a distributed database and a network for interconnection. A distributed database is data that is distributed across multiple databases. The DDBMS manages the distributed database. Distributed database system functions include distributed query management, distributed transaction processing and enforcing

678

with each other to authenticate a user. In centralized environment, the authenticator needs to have information about all of the users of the system. There are three basic authentication means by which an individual may authenticate his identity. a) Something an individual data (e.g., a password, Personal ID Number (PIN), the combination to a lock, a set of facts from a person's background). b) Something an individual POSSESSES (e.g., a token or card, a physical key to a lock). c) Something an individual IS (Intermediate System) (e.g., personal characteristics or "biometrics" such as a fingerprint or voice pattern), this technique works on the Fingerprint basis whereby the phone can be accessed when it identifies the Fingerprint of the user(s). Mobile device user need only authenticate him to the first device he logs into and that device passes the authentication data to each of the other devices then the user can to access. This scheme requires that all of the devices on the network are capable of reliably handling this authentication data. Standardization efforts such as Open System Environment (OSE), Portable Operating System Interface (POSIX) and Government Open Systems Interconnection Profile (GOSIP) can contribute to this goal of transparent authentication across networks. By notation to three basic authentication means that we describe, PIN based authentication is a method for verifying the identity of actual device users, but this method have considerable drawbacks, because pick PIN or passwords can be easily guessed. For prevent guess a password, user have to defines a complex password, then it is often hard to remember. To address this problem in handheld devices, have developed comparatively more secure, affordable and memorable authentication schemes based on graphical assistance or Biometric authentication, such as fingerprints, voice recognition, iris scans, and facial recognition are not yet widely adopted [6]. The major drawback of this approach is that such systems can be expensive, and the identification process can be slow and often unreliable. 2) Data confidentiality. Typically, the increasing connection of travelling users to corporate databases to make personal data available to mobile users introduce new threats on data privacy and confidentiality. Nowadays, one solution is considered that called C-SDA (Chip- Secured Data Access), which allows querying encrypted data while controlling personal privileges. C-SDA is a client-based security component acting as an incorruptible mediator between a client (potentially mobile) and an encrypted database. This component is embedded into a smart card to prevent any tampering to occur on the client side. It is better to embed the user's confidential data into her own mobile device (e.g., a PDA). Apart from their limitation in terms of storage capacity, even these devices cannot be fully trusted because they can be stolen, lost or destroyed (thus a copy of the data they host has

to be maintained in the network to guarantee data resiliency) [8]. Another way to provide confidentiality is through encryption, either using the public key of the receiving principal or using a combined symmetric key and public key method. For instance, the agent can be encrypted using a symmetric key and the symmetric key protected using the public key of the receiving principal. Encryption often used to protect data on insecure networks or storage devices. 3) Identification. The process of verifying a user's identity is typically referred to as user identification and authentication. Passwords are the common method used for authenticating computer users, but information as name (e.g., first or last) or a Passwords, email address provides no assurance of identity, in preventing unauthorized access to computer resources when used as the sole means of authentication, so some users are beginning to use biometrics as methods of user identification. If we want use from passwords as security means so have to management use of passwords by Periodic changing of passwords that it depends on the sensitivity of the data, or use of deliberately misspelling words, combining two or more words together, or including numbers and punctuation in a password, so that prevent the guess of passwords. The identity must be unique so that the system can distinguish among different users. The identity should also be non-forgeable so that one person cannot impersonate another. An important distinction between identification and authentication is that identities are public whereas authentication information is kept secret and thus becomes the means by which an individual proves that he actually is who he claims to be. In addition, identification and authentication provides the basis for future access control [9]. 4) Access control. Access control protects data integrity by limiting who can alter data. The access control rules enforced in a distributed environment may be distributed, centralized or replicated. If the rules are centralized, then the central server needs to check all accesses to the database. If the rules are distributed, then appropriate rules need to be located and enforced for a particular access. Often the rules associated with a particular database may also be stored at the same site. If the rules are replicated, then each node can carry out the access control checks for the data that it manages [10]. Relational database systems implement access control in the SQL language, using the GRANT and REVOKE commands. The GRANT command is used to give privileges to users. It has the following syntax: GRANT privileges ON object TO users [WITH GRANT OPTION] In SQL, object may be a base table or a view and a list of column names. The privileges include SELECT, allowing read access to the named columns of the indicated table, as well as INSERT, UPDATE, DELETE, with expected meanings. The user's parameter may refer to a single user or a group of users.

679

The REVOKE command is used to remove previously granted privileges. Multilevel secure database management system (MLS/DBMS), users cleared at different security levels access and share a database with data at different security levels (also called sensitivity levels) without violating security, and is based on distributed data and distributed control, all data in the database must receive an access classification and a user at a lower classification level will be unaware that data exists at a higher classification level. From the design point of view and security policy of MLS/DBMSs, access control systems can be classified into, discretionary access control (DAC), mandatory access control (MAC), and role-based access control (RBAC)[11]. a) Discretionary Access Control (DAC): This approach hinges upon the granting and revoking of privileges. Typically, a lattice is maintained in the DBMS that stores the access privileges of individual users. When a user logs on, the interface obtains the specific privileges for the user. These privileges are identified with a user or account, and can be of two types. The first type, account level, allows the user system privileges such as Create/Delete Table, or ability to add/delete table columns. The second type, or table level, is more granular. It allows the user to access, or not, specific data within the database [11]. b) Mandatory Access Control (MAC): This mechanism restricts access to data depending on the sensitivity levels of the data and the clearance level of the user. By classification level of the user, Users can read or modify data in their view The view is a logical table, which is created with the SQL VIEW command, this table contains data from the database obtained by additional SQL commands such as JOIN and SELECT- If the database is unclassified, the source for the view is the entire database. On the other hand, the database is subject to multilevel classification, and then the source for the view is that subset of the database [12]. If the view is properly designed, a user at a lower classification level will be unaware that data exists at a higher classification level; In fact, the view prohibits users from accessing data. These constraints are mandatory and automatic. The system must review these constraints each time it encounters a request for a read or write. c) Role Based Access Control (RBAC): RBAC is evolution from those older policies. The main concept under RBAC is that privileges are encapsulated into roles. Users are then assigned to roles, and acquire those privileges. A role is defined as "an explicit (i.e., named) representation of a collection of privileges which are defined and used by system administrators and users." With RBAC, database administrators may create roles, assign privileges to those roles, and then assign users to roles based on their specific job responsibilities and roles. MAC and RBAC models have been used in conjunction with one another. The data items are assigned to classification levels (as in MAC) and the user privileges are concatenated into roles (as in RBAC).

d) Comparisons between policies: In this section do an overall evaluation of how the secure access models fared in their testing against the mobile database characteristics: Because DAC does not impose any security upon these items, it cannot determine or track if users are accessing unauthorized data items. In preventing privilege level changes, DAC's views mechanism enforces access privilege rules. However, privilege rules may be circumvented by the Trojan horse problem to which DAC is vulnerable. The MAC model does much better than DAC in satisfying these security requirements. The MAC model is in attempting to satisfy the data availability requirement. As with the system responsiveness in the potential threat section, the overhead and inflexibility of this security model can lessen data availability. In general, most MLS/DBMSs enforce a MAC policy where a subject reads an object (such as row or relation) if the subjects security level dominates the security level of the object and a subject updates an object if the subjects security level is that of the object. Of the three secure access models, RBAC performed the least well. It lacks the granular control necessary to enforce user access rules or protect against unauthorized entry by external actors. Role based access control (RBAC) is a technology that is attracting increasing attention, particularly for commercial applications, because of its potential for reducing the complexity duplication of access control information and cost of security administration in large networked applications. IV.
SECURITY OF MOBILE NETWORK

Mobile operators 3G networks are not only exposed to all the virtual pathogens already in circulation, but also to mobile specific viruses and Trojans, as well as to direct attacks such as Denial of Service (DoS) on their networks from hackers and criminal organizations. These types of attacks employ methods which wired ISPs have been dealing with for a much longer period of time. There are also variations on these attacks which exploit weaknesses in the architecture and some of the protocols used in 3G cellular data networks. To protect their networks and customers, then, mobile operators need to: x Take an architecture approach to implementing security solutions in their network; point solutions are not sufficient x Deploy a variety of products in their networks, such as firewalls, intrusion detection and prevention (IDP) and virtual private networks (VPNs) Make client-side anti-virus and firewall software readily available to their subscribers who use data devices (e.g., feature phones with data capabilities, Smartphone, notebook computers) Be vigilant and adopt appropriate security policies that reflect the threats in the 3G world. This has additional ramifications given the widespread use of Wi-Fi and the general evolution toward networks based on the IP Multimedia System (IMS) standard

680

Be aware that their networks are only as secure as the weakest link. Mobile operators need to work with each other, the ISP community and other telecom providers to ensure that even the minimum amount of security is quite strong. Vigorously protect signaling as the migration of signaling traffic over IP creates new risks. Mobile operators carry much more signaling traffic than their wired Counterparts and signaling is mission critical traffic.

The security implication here is that with more users of varied data-capable devices who are accessing content and communicating with one another across multiple networks, there will be more traffic on the cellular networks. That implies a higher likelihood of attacks occurring from any number of sources. For example, many sophisticated attacks disguise themselves in data flows across sessions and ports the more traffic there is, the harder it is to identify the threats. At a high level, there are numerous vulnerable elements in mobile operators data networks: x The mobile equipment (ME) itself, such as laptop computers, cell phones, PDAs, Smartphone x The over-the-air wireless link between the ME and the cellular base station (BS) this is the UMTS/HSDPA or EV-DO connection Interfaces to other mobile networks GPRS/UMTS networks this is the Gp interface on

In this paper will explore the following topics: x Why 3G wireless networks are now vulnerable and at what points they are vulnerable x x x The types of attacks that can be perpetrated against those networks The types of products that can be deployed to help guard 3G networks Future threats to mobile operators, specifically regarding IMS which is being deployed by fixed and mobile carriers around the world.

x x

Interfaces to the data networks the Internet or private data networks; on GPRS/UMTS networks this is the Gi interface Management and service elements such as the Home Location Register (HLR) which stores subscriber data (the Ga interface on GPRS/UMTS networks). In IMS, the HSS (home subscriber server) performs the function of the HLR Application / content servers Signaling protocols and/or interfaces within a network and inter-networks. Solution for Securing of Mobile Network

Finally, this paper also suggests some steps mobile operators can take to minimize the risk to their networks and their customers. Cellular data networks are vulnerable for several reasons: 1) Mobile operators are building out high speed wireless networks that are based on the Internet Protocol (IP) which allow users to do more while connected. 2) Mobile operators have opened up their networks to the public Internet and to other data networks, making their 3G networks more vulnerable to attacks. 3) Mobile operators are evolving their networks to IMS, enabling interconnected networks all running on IP.
TABLE II. TYPES OF ATTACKS AGAINST MOBILE NETWORKS Target Other users, network elements (content servers) Type of Attack Worm, Virus, Trojan, SMS/MMS spam Denial of service, SYNflood, application layer attacks (on RADIUS servers, buffer overflows, SIP flooding, RTP flooding) Overbilling attack Spoofed PDP context Signaling-level attacks (SIGTRAN, SIP) which involve modification, interception, DoS

x x A.

Purpose Harassment, denial of service / service interruption

For mobile operators, the first step in defeating attacks on their networks is to recognize their newfound role as an ISP. This means implementing a layered defense for their network that: x Changes security policies and practices to better reflect the new threats x Concentrates, whenever possible, wireless data services into a smaller number of data centers. Many mobile operators in Europe have already taken these types of steps to protect their core networks Protects end users by implementing technology on their devices and in the network e.g., anti-virus, firewalls, content scanning that provides file-level security Deploys security products such as firewalls, virtual private networks (VPNs) and intrusion detection and prevention (IDP) systems at appropriate points in the network, which provides packet level, session level and application level protection securing the Mobile Network

Attack ability to provide service

HLR, AAA, content servers, signaling nodes

Fraud Service theft Attack ability to provide service

Operators management elements (AAA, HLR, VLR, etc.) User sessions

Signaling nodes

681

V.

CONCLUSION

Distributed Database Security is integral to the design and function of a distributed database. There are three important pieces to Distributed database security; Physical, User, and Network. These pieces work in conjunction with policies, standards, and procedures. Policies are directions that support a goal. Solutions described above must be applied to a distributed database on a goal. Also, human factor and traits should not be ignored in this system. Because, a user as who one uses this system, would be considered as an effective factor for security. Of course, we could emphasis that only concentration on reviewed items could not be enough and for more security, during implementation would be considering an appropriate architecture. REFERENCES
[1] [2] [3] [4] [5] [6] [7] http://www.windowsmobileinyourpocket.com http://webclub786.blogspot.com http://msdn.microsoft.com Security Model for Windows Mobile 5.0 and Windows Mobile 6, February 2007 S. Miltchev and J. M. Smith, V. Prevelakis, A. Keromytis, S. Ioannidis, Decentralized Access Control in Distributed File Systems, 2003 M. N. DOJA, NAVEEN KUMAR, user authentication schemes for mobile and handheld devices, Jamia Millia Islamia - New Delhi,2007] L. Bouganim, P. Pucheral, "Chip-Secured Data Access: Confidential Data on Untrusted Servers", Int. Conf. on Very Large Data Bases (VLDB), 2002. EPFL, U. Grenoble, INRIA-Nancy, INT-Evry, U.Montpellier, U.Paris, U.Versalles, Mobile Databases: a Selection of Open Issues and Research Directions, SIGMOD Record, Vol. 33, No. 2, June 2004 Identification and authentication, NIST Computer Security Handbook lker Kse, Distributed Database Security, Data and Network Security Spring 2002 K. Johnson, The Design of Secure Mobile Databases: An Evaluation of Alternative Secure Access Models. A Master's paper for the M.S. in I.S. degree. August, 2002. 110 pages. Advisor: Stephanie W. Haas. S. P. Coy, Security Implications of the Choice of Distributed Database Management System Model: Relational vs. Object-Oriented, 1997 Info-Security Handbook 2007

[8]

[9] [10] [11]

[12] [13]

682