Middleware for network eccentric and mobile applications pages:265-284
Over the last decade the popularity of mobile devices has increased enormously. Initially, personal managers and mobile phones were designed as closed, dedicated devices. More and more, these devices have evolved into general purpose instruments that can be extended at user's will (a.o. via proper software development kits). This has lead to the current generation of smartphones and full-blown personal information management systems. At the same time, the information managed by the devices has evolved from limited and personal to general purpose and business-centric and, consequently, they constitute a core component of daily life.
These evolutions have had a significant impact on the security and privacy features of these devices. While rather simple, low-protected security models were provided initially, the current devices have evolved into natural extensions of personal computing platforms offering advanced, fine-grained data and software protection. Compared to personal desktops, however, the big challenge is due to the limited hardware protection models (such as data protection in memory) and dito computational resources that are available for the software security measures to build on. Consequently, the protection models of these devices have always been more restricted and targeted towards a specific setting. In this context, security middleware is to be interpreted as a broad category of security enhancements for applications (and their data) on mobile devices with limited capabilities.
In this chapter, the state-of-the-art in software protection for mobile devices is discussed. First, the security characteristics of mobile devices (as opposed to regular desktop systems) are elaborated upon by eliciting and illustrating specific types of threats. This should help in understanding and appreciating the particular difficulties of these platforms and allow one to draw connections between related problems on specific devices. Second, in the wide range of protective measures for mobile devices, we focus on two recent security enhancements that address some of these threats and, hence, improve the protection of applications on these devices: execution memory protection and security by contract. These techniques are complementary in the sense that the first technique focuses on applications running on native platforms, while the latter improves security properties for managed platforms. Besides motivating and discussing the general approach of these techniques, their usefulness for mobile devices in particular is highlighted as well.