As the use of mobile devices to transmit and receive data and access internet and intranet websites continues to expand, it becomes increasingly important that these devices be protected from malicious activity. If not protected, mobile devices are vulnerable to criminal or cyber attacks that could disrupt the normal functioning of both commerce and government. For example, vital communications can be disrupted, mobile communications devices can be used to hack into supposedly secure servers storing confidential information, mobile payment mechanisms can be used to steal money, or other malicious acts can be performed.
One approach for protecting conventional computing assets from viruses, malware, adware, exploits, and other computer attacks, is to analyze communication streams to and from the asset to detect malicious activity. Intrusion Prevention Systems (IPSs) are network security technologies that examine network traffic flows to detect and prevent vulnerability exploits. IPSs can take such actions as sending an alarm, dropping malicious packets, resetting connections, and blocking traffic from an offending IP address. Conventional IPSs generally fall into two categories: network-based and host-based. Network-based IPSs come in the form of dedicated hardware placed inline within a back end network. With cellular networks, which are commonly used by mobile devices, network-based IPSs cannot be implemented by end users because the back-end network is inaccessible.
Host-based IPSs reside on end user devices, such as laptops, and examine network traffic entering and leaving the device for malicious patterns. If maliciousness is recognized, action is taken such as blocking the packet, terminating connection, blocking the remote host, alerting the user, etc. To accomplish this, host-based IPSs generally require two privileges: access to the network interface and administrator rights (also known as superuser or root access).
With conventional mobile devices, neither of these two privileges is generally available, thus rendering traditional host-based IPS methods and systems unusable for mobile devices. As explained in U.S. Pat. No. 9,009,779, the interception of network traffic on a typical mobile device, such as a device running an Android™ operating system, is generally not possible under normal operation. Since the primary purpose of the device is to operate as a phone, phone manufacturers and cellular carriers limit applications to operating in the “user space” of the device, rather than in the “kernel space” or “machine space” that is typically required for network traffic interception. This limitation is implemented because any potential conflicts at such a low functional level would lead to the device becoming completely inoperable, rather than just unable to run a single application while still functioning for other purposes.
For example, conventional mobile device 102 in FIG. 1 includes multiple apps 108 operating in user space and network interface 110 operating in kernel space. Apps 108 may generate data for transmission over network 104 to one or more nodes 106 also connected to network 104, and one or more nodes 106 may transmit data back, all of which is processed by network interface 110. Network interface 110 includes both the physical and logical functions required to process inbound and outbound data at the device. The access of an app 108 to network interface 110 is generally limited to the processing of its own data. Furthermore, apps 108 interact individually with the kernel space, meaning that one app normally cannot interact directly with another app. Whereas a conventional IPS operating within a general computing device environment could examine transmitted and received data by directly accessing the network interface of the device, the same is not possible in mobile device 102 because of the restrictions on applications confined to user space. Because apps 108 cannot access the networking processes of network interface 110 and cannot access each other, it is generally not possible for an app to monitor the flow of data to and from other apps.
For these reasons, it is challenging to capture inbound and outbound traffic to and from applications running on a conventional mobile device without root access.