Protecting Mobile Devices with Periodic Mobile Forensics

August 2014
Topics: Wireless Communications, Cybersecurity, Computer Security, Information Security Technologies, Information Security Risk Management
Government and industry are increasingly encouraging employees to use organization-issued Android smartphones and mobile devices for their work. MITRE has developed a capability to help them more closely monitor their mobile infrastructure.
Woman using an Android smartphone.

As increasing amounts of sensitive enterprise-wide information becomes available and accessible on these devices, the risk of organizational data loss increases because of mobile devices' greater vulnerability to malicious hacking. Just one employee downloading a malware-infected app could put an entire organization's information technology infrastructure at risk.

Two major challenges facing MITRE sponsors incorporating smartphones into their IT infrastructure are policy enforcement and device auditing. Commercial solutions for mobile policy enforcement often can't maintain a comprehensive enough overview of a mobile device's state to adequately monitor it for malicious behaviors. Our researchers have developed a capability that complements most of these commercial solutions, helping them to better audit an organization’s mobile infrastructure and verify it's operating securely.

MITRE's Periodic Mobile Forensics (PMF) capability monitors an organization's Android smartphone infrastructure to provide measurable assurance that the right people are using it in the right way for the right purposes. Based solely on audited mobile device activity, PMF can help organizations identify employees who may be abusing their smartphone privileges or flag when somebody other than the authorized person is using a device. It can also help discover any malicious applications installed on the smartphones.

Making a Difference with Differential Analysis

"Organizations are asking their employees to do more of their work using mobile devices," says Mark Guido, a MITRE principal engineer and PMF project lead. "It's like walking around with your office computer in your pocket." However, securing a mobile device is more difficult than securing a desktop computer. Mobile devices pull in data over a variety of communications protocols: Wi-Fi, mobile broadband, Bluetooth, Near Field Communication.

Using a technique called differential analysis, PMF provides organizations with the ability to better audit mobile users and devices. Guido compares this technique to a "Spot the Differences" puzzle in a newspaper. "Essentially we have two images: a known 'good' state of the device and a recent snapshot," says Guido. "We can compare the two to see if there are a bunch of changes on the device. If there are, then we have to identify those changes and determine if any of them are malicious.”

Differential analysis enables PMF to compare forensic images at different time offsets (snapshots) or compare images to a common "gold" image. PMF takes constant snapshots of the state of the mobile device. By comparing the most recent snapshot to previous ones, PMF can detect and alert an organization to changes in the device's operating state. This allows an organization to take advantage of the enormous potential of Android smartphone technology without exposing itself to the increased data vulnerability these devices can present.

MITRE's Periodic Mobile Forensics detects malicious activities on smartphones that could leave sensitive data exposed.

Keeping Close Watch

Some malware can escape detection by preventing an infected phone from reporting its presence. PMF, however, can spot any changes infiltrating malware has made to the devices' storage—even if the malware fools the device into reporting a normal operating state.

"We're not relying on the device to tell us that it's okay," says Guido. "If we have a question as to whether a device has been compromised, we're not relying on the device itself to provide us the answer. By downloading snapshots of the state of the device to an enterprise server, we can observe and audit device changes in a secure location. This makes it difficult for an attacker to influence how we interpret those results."

Not all differences in the state of a mobile device are evidence of malicious behavior. "Some differences occur as the result of the normal function of the phone," says Guido. But by continually auditing all actions and events about the state and use of the device, PMF provides an organization with the final say in how the phone is used. "It boils down to what the enterprise ultimately does and doesn't want to see happening on the device."

Proactive PMF

Guido and his team have co-written a paper about the research behind PMF, titled "Automated identification of installed malicious Android applications," published in the peer-reviewed journal Digital Investigation.

The next step in the PMF project will be to provide organizations with the ability to respond to any malware PMF detects on a mobile device. "If PMF detects malware on a mobile device, an organization could use it to delete sensitive information off the device,' says Guido. "Or an organization could use PMF to shut down access to the affected device or shut down the device itself."

MITRE is licensing its PMF technology to industry so that this innovation will be commercially available to our government sponsors and the nation as a whole. (For more information, contact MITRE's Technology Transfer Office).

—by Christopher Lockheardt


Publication Search