Abstract

Today, personal mobile devices like smartphones and tablets are ubiquitous. People use mobile devices for fun, for work, and for organizing and managing their lives, including their finances. This became possible because over the last two decades, mobile phones evolved from closed platforms intended for voice calls and messaging to open platforms whose functionality can be extended in myriad ways by third party developers. Such wide-ranging scope of use also means widely different security and privacy requirements for those uses. The mobile device ecosystem involved multiple different stakeholders such as mobile network operators, regulators, enterprise information technology administrators, and of course ordinary users. So, as mobile platforms became gradually open, platform security mechanisms were incorporated into their architectures so that the security and privacy requirements of all stakeholders could be met. Platform security mechanisms help to isolate applications from one another, protect persistent data and other ondevice resources (like access to location or peripherals), and help strengthen software against a variety of attack vectors. All major mobile platforms incorporate comprehensive software and hardware platform security architectures, including mechanisms like trusted execution environments (TEEs).

Over the past decade, mobile devices have been undergoing convergences in multiple dimensions. The distinction between “mobile” and “fixed” devices has blurred. Similar security mechanisms and concepts are being used across different platforms, leading to similar security architectures. Hardware enablers used to support platform security have gradually matured. At the same time, there have also been novel types of attacks, ranging from software attacks like return- and data-oriented programming to hardware attacks like side channels that exploit micro-architectural phenomena. It is no longer tenable to assume that the current hardware security mechanisms underpinning mobile platform security are inviolable.

The time is therefore right to take a new look at mobile platform security, which brings us to this monograph. We focus on hardware platform security. The monograph is divided into four parts: we begin by looking at the why and how of mobile platform security, followed by a discussion on vulnerabilities and attacks; we conclude by looking forward discussing emerging research that explores ways of dealing with hardware compromise, and building blocks for the next generation of hardware platform security.

Our intent is to provide a broad overview of the current state of practice and a glimpse of possible research directions that can be of use to practitioners, decision makers, and researchers.

Hardware Platform Security for Mobile Devices

Personal mobile devices like smartphones and tablets are ubiquitous. People use mobile devices for fun, for work, and for organizing and managing their lives, including their finances. This has become possible because over the past two decades, mobile phones evolved from closed platforms intended for voice calls and messaging to open platforms whose functionality can be extended in myriad ways by third party developers. Such wide-ranging scope of use also means widely different security and privacy requirements for those uses. As mobile platforms gradually opened, platform security mechanisms were incorporated into their architectures so that the security and privacy requirements of all stakeholders could be met. The time is therefore right to take a new look at mobile platform security, which is the intent of this monograph.

The monograph is divided into four parts: firstly, the authors look at the how and why of mobile platform security, and this is followed by a discussion on vulnerabilities and attacks. The monograph concludes by looking forward and discussing emerging research that explores ways of dealing with hardware compromise, and building blocks for the next generation of hardware platform security.

The authors have intended to provide a broad overview of the current state of practice and a glimpse of possible research directions that can be of use to practitioners, decision makers, and researchers. The focus of this monograph is on hardware platform security in mobile devices. Other forms of Security, such as OS Security, are briefly covered, but from the perspective of motivating hardware platform security. Also, specific high-level attacks such as jail-breaking or rooting are not covered, though the basic attacks described in Part III can, and often are, used as stepping stones for these high-level attacks.