| 摘要: | 現今在無線網路設備成本降低以及無線應用相關服務之普及,智慧型手機透過3G至4G LTE無線網路連上網路的方便性與行動優勢,企業更能透過無線設備,即時即地進行商業流程的M化行動管理。而智慧型手機之技術演進,一切都更走向雲端,在技術開發應用上搭配了多功能應用型態的智慧型手機,逐漸興起帶動行動服務發展的新契機及提供更加便利功能的服務。
但隨著智慧型手機市佔率快速成長,許多惡意軟體開始轉向手機平台發展。手機病毒感染途徑與破壞能力成為智慧型手機在資訊安全之沉疴弊病,造成嚴重威脅及危機,由於智慧型手機曝露在無線網路環境中處理端點間之訊息傳輸,惡意攻擊者及駭客藉由攻擊手機上的應用程式植入連結程式或利用手機系統漏洞,入侵使用者手機系統,衍生出重要機密資料遭竊取、外洩之衝擊且日益嚴重,為因應智慧型手機使用者成為攻擊者不斷以新型態惡意程式攻擊的新目標。金鑰所產生之保密隱匿及資料加密強度為當今智慧型手機資料安全之發展主軸。
本研究發現,當今智慧型手機之攻擊以「資料竊取」及「手機資料庫緩衝區溢位」為主要目標。因此本研究朝三個重點方向,以期達到資訊安全事前防範、事中處理、事後改善之目標。
第一個方向以Android智慧型手機架構為主軸,建置M_Office行動POS系統,並探討行動POS智慧型手機於無線網路環境中,面臨Android智慧型手機惡意程式滲透攻擊行為、HTTPS在Android智慧型手機安全隱憂,以及惡意程式利用Android系統滲透入侵到POS系統導致資料外洩等資安威脅;
第二個方向本文發現在以往資料通訊傳輸的過程中,由於採用非對稱式加密演算法並透過對稱式金鑰之傳遞來保全資料,其程序過於繁複且虛耗系統資源,因此本研究對於資料通訊之傳輸以實作方式,採用SHA-256不可逆雜湊演算法產生密碼雜湊值;在端點間非傳輸時,以手機登錄時之帳號、密碼、時間伺服器時間值、手機端之IMEI值等4個參數取為干擾值,透過霍夫曼 tree演算方式,結合SHA-256單向雜湊演算法的不可逆性,產生隨機保密隱匿金鑰,避免金鑰被未經授權地揭露、修改、取代,強化資料傳輸效率及安全性;再以AES對稱加密演算法搭配BASE 64編碼演算法,確保資料傳輸之隱藏性;
第三個方向為針對智慧型手機因軟體漏洞衍生資料存取緩衝區溢位建立資料庫稽核機制,經由本研究論述及實作來建制智慧型手機資訊安全之防範措施。
Today smartphones to reduce the cost of wireless network equipment and in the popularity of related services through 3G wireless applications to 4G LTE wireless network connected to the convenience and advantages of the Internet way of action, making enterprises through wireless devices , Mobility of the action performed managing business processes in moment-to-moment. Technological development of smart phones, all will be more toward the clouds, in the technological development of applications with the multi-applications smart phones, the gradual rise of a new opportunity to drive the development of mobile services and to provide more convenient service features
But with the rapid growth of smartphone market share, many are turning to mobile platform for malware development. Mobile phone virus way of infection and destroy the ability to become smartphone in the information security of ills ills pose a serious threat and crisis,since the smart phone exposure in a wireless network environment, processing information transmitted between the endpoints by malicious attackers and hackers attacks by the application program on the mobile phone or use the mobile phone link implant system vulnerabilities, intrusion user mobile phone system, derived from the important confidential information was stolen, and the growing impact of leakage, to cope with smartphone users become attackers new targets with new patterns malware attacks. Confidential data hiding and encryption strength arising from key for today's smart phone data safe development spindle.
But with the rapid growth of smartphone market share, many are turning to mobile platform for malware development. Mobile phone virus way of infection and destroy the ability to become smartphone in the information security of ills ills pose a serious threat and crisis,since the smart phone exposure in a wireless network environment, processing information transmitted between the endpoints by malicious attackers and hackers attacks by the application program on the mobile phone or use the mobile phone link implant system vulnerabilities, intrusion user mobile phone system, derived from the important confidential information was stolen, and the growing impact of leakage, to cope with smartphone users become attackers new targets with new patterns malware attacks. Confidential data hiding and encryption strength arising from key for today's smart phone data safe development spindle.
The study found that today's attack smart phones to the "Information theft" and "mobile phone database buffer overflow" as the main target. Therefore, this study focused towards three directions in order to achieve target information security, to advance prevention, during processing,improvement afterwards .
The first Android smartphone architecture direction for the spindle, build M_Office mobile POS system, and to explore the mobile POS smartphone in wireless network environments, facing malware of Android smartphone to penetration attacks, HTTPS in Android Smart Mobile to security concerns, as well as the use of Android system in malware to penetration intrusion into the POS system lead to data leakage and other information security threats;
A second direction we find in the course of the past data communications transmission, since the use of non-symmetric encryption algorithm and pass through the symmetric key to preserve data, the procedure is too complicated and wasted system resources, so this research for information transport communications of the way in order to imple-ment, using SHA-256 hash algorithm produces irreversible cryptographic hash value; the non-transmission time between endpoints, account ID when the phone log, password, time server time value, IMEI value endpoint of the mobile phone, etc. 4 parameter value is taken as interference, through the Huffman tree calculation methods, combined with SHA-256 one-way hash algorithm in irreversible , generate random secret hidden key, key to avoid unauthorized expose, modifications, substitutions, strengthen data transmission efficiency and safety; then AES symmetric encryption algorithm with BASE 64 coding algorithms to ensure data transmission of the hidden;
The third direction is for smart phones due to software vulnerabilities derived data ac-cess buffer overflow to establish a database audit mechanism, as to the establishment of smart phones information security precautions discussed by this discourses and implement. |
