DOI QR코드

DOI QR Code

모바일 어플리케이션 개발에서의 보안성 향상을 위한 보안 점검항목 개선에 관한 연구

A Study on the Security Checklist Improvements to improve the Security in the Mobile Applications Development

  • 신준엽 (경기지방경찰청 수사과 사이버팀) ;
  • 김동수 (건국대학교 정보통신대학원) ;
  • 한기준 (건국대학교 컴퓨터공학부) ;
  • 김희완 (삼육대학교 컴퓨터학부)
  • Shin, Jun-Yuop (Cyber Team of Criminal Investigation Section, Kyonggi Regional Police Agency) ;
  • Kim, Dong-Soo (Graduate School of Information and Telecommunications, Konkuk University) ;
  • Han, Ki-Jun (Dept. of Computer Engineering, Konkuk University) ;
  • Kim, Hee-Wan (Division of Computer Engineering, Shamyook University)
  • 투고 : 2014.06.03
  • 심사 : 2014.08.20
  • 발행 : 2014.08.28

초록

모바일 기기의 사용은 개인 및 기업에게 다양한 편의를 제공해 주고 있다. 반면에 모바일 서비스를 위한 환경 구축으로 IT인프라에 존재하는 보안 위협과 새로운 모바일에 대한 보안 위협이 동시에 존재하고 있다. 모바일 환경에 대한 보안 위협을 최소화하기 위해 MDM(Mobile Device Management) 등의 관리 서비스와 모바일 백신 등의 서비스가 큰 관심을 받고 있다. 이러한 솔루션은 모바일 어플리케이션 자체 취약성의 위협으로부터 모바일 서비스를 위해 개발된 어플리케이션을 보호해 주지 못하는 것이 현실이다. 이로 인해 본 논문에서는 모바일 서비스 환경에서 발생할 수 있는 보안 사고를 예방하기 위해 어플리케이션 보안성 검토 항목을 기반으로 모바일 어플리케이션 보안 점검항목을 제시하였다. 이를 통하여 모바일 어플리케이션 개발에 대한 보안성을 향상시키고자 한다. 제시한 점검항목의 실효성 검증을 위하여 실제 안드로이드 기반 어플리케이션을 수집 및 분석하고 어플리케이션에 대한 전수검사를 실시하였고, 점검항목에 대해 전문가의 설문 조사를 통해 적합성을 검증하였다.

The use of mobile devices offers a variety of services to the individuals and companies. On the other hand, security threats and new mobile security threats that exist in IT infrastructure to build the environment for mobile services are present at the same time. Services such as mobile and vaccine management services, such as MDM (Mobile Device Management) has attracted a great deal of interest in order to minimize the threat of security in mobile environment. These solutions can not protect an application that was developed for the mobile service from the threat of vulnerability of mobile application itself. Under these circumstances, in this paper, we proposed mobile application security checklists based on application security review items in order to prevent security accidents that can occur in a mobile service environment. We collected and analyzed Android applications, we performed a total inspection of the applications for verification of the effectiveness of the check items. And we checked that the check items through a survey of experts suitability was verified.

키워드

참고문헌

  1. Korea Information Agency, Information Statistical Compilations 2011, Seoul: Korea Information Agency, 2011.
  2. D. K. Seo, KT, mobile office business was resilient, Electronic newspaper, Oct 25, 2010.
  3. D. J. Kwon, Separating logical network, the area expansion with the virtual mobile office, Etnews, May 7, 2014.
  4. H. S. Hwang, K. H. Lee, A study on the mobile security model for secure smartwork, Review of Korea Institute of Information Security & Cryptology, Vol. 21, No 3, pp.22-34, 2011.
  5. Korea Information Agency, Smart Work Guidebook for a Enterprises, Seoul: The Korea Communications Commission, 2011.
  6. SK Telecom, Smartphone security threat trends and countermeasures, Seoul: SK Telecom, 2011.
  7. Aircube, Smart Mobile Solutions Configuration V4, Seoul: Aircuve, 2011.
  8. Symatec, Internet Security Threat Report, California:IBM, 2011.
  9. MITRE: http://cwe.mitre.org/
  10. ZDNet Korea, IPhone Hacks fake GSM base station?, Meganews, Jan 20, 2011.
  11. ZDNet Korea:http://blog.naver.com/PostView. nhn?blogId=rikajunsu&logNo=20121087032
  12. Android Police, "Exclusive: Vulnerability In Skype For Android Is Exposing Your Name, Phone Number, Chat Logs, And A Lot More", Apr. 2011
  13. National Information Society Agency, Information Systems Audit Standards Commentary, Seoul: National Information Society Agency, 2009.
  14. J. Y. Lee, D. S. Kim, H. W. Kim, A design of the information security auditing framework of the information system audit, Korea Society of Digital Industry and Information Management, Vol 6, No 2, pp.233-245, 2010.
  15. Korea Internet & Security Agency, Android-JAVA Secure Coding Guide, Seoul: Ministry of Security and Public Administration, 2011.
  16. Korea Internet & Security Agency, Mobile App Security Vulnerability Verification Guide, Seoul: Ministry of Security and Public Administration, 2011.
  17. Fortify, A Taxonomy of Coding Errors that Affect Security, Fortify Lab, 2011.
  18. Google, "Designing for Security", Aug. 2010
  19. VERACODE:http://www.veracode.com/directory/m obileapp-top-10,
  20. National Information Society Agency, Information System Audit Checks Cookbook V3.0, Seoul: Korea Information Agency, 2009.
  21. Dwivedi, Himanshu, Mobile Application Security, New York:McGraw-Hill, 2010.
  22. Rilly Hassell, Malicious Intent-Exploiting Android Activities to Escalate Privilege, Privateer Labs Research, May, 2011.