Post on 08-May-2015
description
transcript
Franklin Heath Ltd30 September 2011
Mobile Application Security and Mobile Security Applications: Sticks and CarrotsCraig HeathIndependent Mobile Security Consultant
CC BY 3.02© Franklin Heath Ltd
Topics
Who the [heck] are you?
Why can’t you turn this [stupid] security off?
Comparing security frameworks on the main platforms
What’s in it for me?
Security apps that vendors and operators aren’t doingNotarised call recording
Premium charge warning
Trustworthy viewport30 September 2011
CC BY 3.03© Franklin Heath Ltd
My Background
Working in systems software security since 1989UNIX and Enterprise Java
Focus on mobile platforms since 2002Responsible for Symbian’s platform security strategy
Lead author of the book “Symbian OS Platform Security”
Chief Security Technologist at the Symbian Foundation
Now providing independent security consultancySet up Franklin Heath Ltd in November 2010
30 September 2011
CC BY 3.0
Why We Need Application Security
Bad guys are deploying malicious phone apps to defraud people for commercial gainStealing virtual goods and credits
Premium rate messaging fraud
Phishing (e.g. banking MTANs)
People need and expect their phones to be more trustworthy than their PCs have beenEmergency calls
Personal data (e.g. location, contacts, photos)
30 September 2011 4© Franklin Heath Ltd
CC BY 3.0
Fraudulent Apps are Real
30 September 2011 5© Franklin Heath Ltd
CC BY 3.0
Mobile Device Security and Privacy Does MatterOrganised crime is monetising mobile
vulnerabilitiesZitMo in Europe, trojans in China and Russia
Phone software platforms are becoming more uniform
Easier to target a bigger “addressable market”
Android market share increasing, iPhone steady
But don’t forget “legacy” Symbian devices (still 100s of millions)
Widespread privacy breaches are sensitising peoplee.g. Sony PlayStation Network
WSJ coverage of bad practice in mobile applications
30 September 2011 6© Franklin Heath Ltd
CC BY 3.0
Comparing Application Testing
Apple and Google are two extremes of approachiTunes app store inspects every application and can
reject for arbitrary reasonsGood for consumers, bad for developers
Android Market “common carrier” approach: pass though everything submitted, remove apps only if complaints madeGood for developers, bad for consumers
Symbian Signed did standardised third-party testingMiddle ground, manages costs, but provides little
defence against deliberate malwareNote that Nokia app store adds additional manual
QA inspection
30 September 2011 7© Franklin Heath Ltd
CC BY 3.0
Comparing Application Signing
Developer signing requirements varyAndroid: “self-signed”, free to create a certificate
iPhone: Apple developer registration includes certificate cost
Symbian Signed required a third-party, $200, certificate
Signing party for “production” apps also variesiTunes, Amazon uses only an app store signature
Android Market uses only the developer signature
Symbian Signed uses only the certifier signature
30 September 2011 8© Franklin Heath Ltd
CC BY 3.0
Comparing Copy Protection
iTunes app store uses Apple proprietary FairPlay DRM
Android Market doesn’t provide automatic copy protection, but Google provides libraries for developers to invoke a licence server
Nokia app store has lightweight “forward lock” copy protection
30 September 2011 9© Franklin Heath Ltd
CC BY 3.0
Opportunity: Put the User in Control
Ways to benefit end user, not the vendor or operatorCorrecting “information asymmetries” to benefit
consumers
More usable control over personal information sharing
Tools for the paranoid (or security professional )
Putting users in control of their own data and their own charges is the right thing to doBut usability is key
Don’t cause security prompt blindness
Don’t put the responsibility on them as a cop-out1030 September 2011 © Franklin Heath Ltd
CC BY 3.0© Franklin Heath Ltd
Idea 1: Notarised Call Recording
“Reciprocal Transparency” – who watches the watchers?
When you call a utility company, do you hear “this call may be recorded”?
it’s being recorded for their benefit, not yours
Have you ever been told they will do something, but when you call back: “I’m sorry, I have no record of that”?
probably they do, but you can’t prove it: information asymmetry
Why isn’t this built in to my phone?Hypothesis: difficult to do legally in all jurisdictions?30 September 2011 11
CC BY 3.012© Franklin Heath Ltd
Idea 1: Notarised Call RecordingWhat can be done?Even a simple recording would help, with the
call logbut unlikely to be good enough evidence to use in
court
Could combine this with a “digital notary”take a hash of the recording (prevents future
tampering)
have the hash signed by a trusted third party with a time stamp
proves that the recording was made at or before that time
Make sure it’s legal in the UKPlay a recorded announcement at the start? (=
reciprocal)
30 September 2011
CC BY 3.013© Franklin Heath Ltd
Idea 2: Premium Charge Warning Premium rate voice and SMS service providers in the
UK are required by law to advise consumers of their charges in advance
but they haven’t always done this is the most obvious way
malware isn’t going to respect this
In the UK, you can discover the charges with a free SMS (76787)
also available as a web-based online number checker
but I doubt many people use this regularly
It would be much more useful if your phone did this for you
operators may not like this (could discourage use of legitimate services)
30 September 2011
CC BY 3.014© Franklin Heath Ltd
Idea 2: Premium Charge WarningWhat can be done?Filter to check numbers your phone is calling
and texting, and warning before the call is placed if it’s premium rate“allow this application to spend 50p?” would be far
more usable than “allow this application to make phone calls and send text messages?”
Could be extended to enforce rules, e.g.allow this application to spend up to £5allow this application to send 2 texts per day
But, data isn’t easily available, and the hooks aren’t easily accessible on all phone platformsa “proof of concept” app could allow pressure to be
brought30 September 2011
CC BY 3.0
Idea 2: Premium Charge WarningProof-of-concept PossibilitiesScreen-scraping of the PhonePayPlus number
checkerhttp://www.phonepayplus.org.uk/Number-Checker/C
heck-a-Number-Results.aspx?ncn=number
Trapping the call/SMS before it’s sentOn Android, ACTION_NEW_OUTGOING_CALL
broadcast action allows voice calls to be interceptedNo equivalent for SMS?
Charge information for number ranges is available commerciallyCould it be a marketing opportunity for the holders
to make it available for free in some way, limited to this purpose?
Could it be made available as part of government Open Data?
30 September 2011 15© Franklin Heath Ltd
CC BY 3.016© Franklin Heath Ltd
Idea 3: Trustworthy Viewport
Typical desktop web commerce model is for the user to enter a password to confirm the transactionOK if the user confirms they are giving it to the
payment provider and not to a “phishing” site
Mobile browsers lack the visual security cuesNo room on a small screen for the window “chrome”
Apps can draw on the entire display area
Desktop model of entering password to authorize the transaction is dangerous on mobile
30 September 2011
CC BY 3.017
Examples of Insecure Mobile Experience for In-App Payments
30 September 2011 © Franklin Heath Ltd
CC BY 3.018© Franklin Heath Ltd
Idea 3: Trustworthy ViewportWhat can be done?Have a “helper” app provide the UI for
password entry
Show the user something that a malicious app can’te.g. Yahoo! “sign-in seal”, 3D Secure “Personal
Assurance Message”
Couple that with a clear indication of the origin of the view contentsc.f. Internet Explorer highlighting the 2nd level
domain, Firefox green background for EV server certificates, etc.
Wrapper for Android WebView?30 September 2011
CC BY 3.0
Open Discussion…
30 September 2011 19© Franklin Heath Ltd