What are the vulnerabilities, dangers and countermeasures lurking on smartphones and tablet devices?

　In recent years, the spread of smartphones and tablet devices has been rapidly progressing, and it is said that the annual shipment has exceeded the PC.There are various vulnerabilities in these devices, like PCs, and there is a risk that users will be exposed to security risks.What kind of dangers exist at present?Asked Junichi Murakami, Director of the New Technical Development Office of Fotine Four Technology Research Institute, who is working on vulnerability research, and Mr. Oiji, a research engineer, ask for trends and measures with devices equipped with iOS, Android, and Windows Phone.rice field.

OS別の危険性

　The iPhone and iPad equipped with iOS are basically protected by Apple when they are sold to users.The vulnerability in iOS is used when canceling this protection (commonly known as "jailbreak"), so that the administrator authority of the system can be obtained.Jailbreak generally performs your own will when you want to customize your iPhone or iPad in a wider area than usual.However, from the use of vulnerabilities, Mr. Oai pointed out that "the attacker can make the terminal a jailbreak, regardless of the user's intention."As a result, the user is at risk of stolen confidential information such as telephonebook data stored on the terminal, or operates the terminal illegally.

　The terminal equipped with Android has not been confirmed that a third party will obtain a system administrator privilege by abusing vulnerabilities that can be abused from remote, such as WebKit.On the other hand, attacks that abuse system applications installed on the terminal and driver vulnerabilities are conspicuous.The attacker installs an app with a built -in malware function that seems to be a regular app, acquires system administrator privileges (commonly known as Android), or fraudulently steals information.Operate.

　Regarding Windows Phone, there is no vulnerability that is abused by the above -mentioned iOS or Android methods, but Mr. Oi is the terminal equipped with the first version (HTC 7 Mozart, OS version 7)..0.Analyzing 7004) revealed that the function of protecting the heap memory was not enough compared to iOS and Android.If a vulnerability is found, the information on the app installed on the terminal may be damaged by the attacker.

　Android and Windows Phone have a wide variety of manufacturers.In some manufacturers, there are cases where the functions that the manufacturer have independently added is vulnerable.Some manufacturers have a specific communication route (back door) on the terminal.Originally, only authenticated system applications are used, but there is a risk of exploiting the backdoor if the attacker can execute an arbitrary code.

対策の基本はPCに同じ、ただしAndroidでは困難な場合も

　What should we do to prevent vulnerability on smartphones and tablet terminals?Mr. Murakami advises that it is important for users to apply for the iOS and Windows Phone by the developer Apple and Microsoft.

　"In order to always find new vulnerabilities, even if patches are applied, it will be a" plague "situation where another vulnerabilities will be apparent, but vendors who manage the OS are relatively relatively.Early "(Mr. Murakami)

　On the other hand, there is no other way to apply patches and updates provided by the manufacturer on Android devices.In addition, there is a problem that the manufacturer has a difference in response to vulnerabilities.

　"In a survey of the IPA (Information Processing Promotion Organization), it has been revealed that there is no update on terminals with vulnerabilities. Android has a very fast development pace and many manufacturers customize.Murakami pointed out that there is a situation where gender has not been fully responded. "

　As Mr. Oai explains, most of the attacks targeting Android are currently abused apps.Users can take some security measures, such as Android Market and the official application store provided by telecommunications carriers, and do not install suspicious apps as much as possible.Even when installing, it is necessary to confirm the permissions that the app requires access.

　"If you require the authority that seems to be necessary in the original function of the app, you need to be careful. In the case of an app that accompanies the advertising, you request the authority to read the terminal setting information, or conversely.In some cases, it may not be cleared by authority, and it may be difficult to confirm well. "(Mr. Oi)

　When using a smartphone or tablet device in a company, etc., security measures can be strengthened by using a mechanism called "mobile device management (MDM)".The MDM has a function to erase data or lock the terminal by remotely control in the case of stolen or loss, but some products and services have a function to limit and execute applications.。Mr. Oai advised, "I have a personal opinion, but it is better to consider not to use anything other than commercial apps in Android."

Related keywords

脆弱性 | Android | iOS | Windows Phone | フォティーンフォティ技術研究所 | セキュリティ対策