Available at: https://digitalcommons.calpoly.edu/theses/1844
Date of Award
MS in Electrical Engineering
The Open Web Application Security Project identifies that the number one vulnerability in mobile applications is the misuse of platform-provided security mechanisms. This means that platforms like iOS and Android, which now account for 99.8\% of the mobile phone market, are providing mechanisms that are consistently being used in an incorrect manner. This statistic shines a spotlight onto both platforms. Why is it that so many people are misusing platform provided security mechanisms? And is it the platform’s fault? The supposition of this paper is that both iOS and Android are not creating usable security mechanisms.
This paper is meant to be a direct response to the number one spot on the OWASP Top Ten Mobile Vulnerabilities list. As a result, our primary goal is to identify whether or not iOS and Android are creating usable security mechanisms. To do this we first proposed an evaluation framework that is tailored to evaluate the usability of mobile device security mechanisms. Then we used it to evaluate seven of the most important and therefore most popular security mechanisms provided by iOS and Android. Through this evaluation we not only hope to develop a clear landscape of overall mobile security mechanism usability, but we also hope to compare the usability across the two platforms.
Overall, it was found that both platforms adequately supported the more popular security mechanisms like key storage and HTTPS. Whereas support for some of the more low-level mechanisms, like encryption and MACs, were often neglected. Such neglect could be seen in a number of different ways; however, the most common neglect came in the form of old documentation, or APIs that are long over do for a rebuild or increased abstraction. Furthermore, both platforms barely addressed the testing of implementations, despite the fact that testing is arguably the most important part of the software development cycle. Both iOS and Android seldom gave the developer any guidance on verifying the functionality of their implementations.