Security

redlemonbalmΚινητά – Ασύρματες Τεχνολογίες

10 Δεκ 2013 (πριν από 3 χρόνια και 6 μήνες)

58 εμφανίσεις

Trusler i Web- og Mobilkanalen
Audun Jøsang
Mobil apps sikkerhet seminar
IT Fornebu
Torsdag 28 April 2011
2011.04.28 1 Mobile App Security - IT Fornebu
Norwegian Terms
English


Security

Safety

Certainty


Security

Safety

Certainty

Norwegian


Sikkerhet

Trygghet

Visshet



Sikkerhet


Good
Bad
2011.04.28 2 Mobile App Security - IT Fornebu
The Mobile Architecture
2011.04.28 Mobile App Security - IT Fornebu 3
SIM
Applications
OS
Hardware
Applications
OS
Hardware
Applications
OS
Hardware
SIM Card
Mobile Device Mobile Network
Applications
OS
Hardware
Internet
Software is fragile
Separation between software modules is a hard problem
Applications
OS
Kernel
Hardware
Software
Computer system
House analogy
Locks – doors - windows
Plumbing – cabling - fittings
Furniture - appliances
Foundations – walls - roof
Security analysis of mobile systems
Security evaluation by Watchcom, February 2011
2011.04.28 Mobile App Security - IT Fornebu 5
Security aspect
iPhone
iOS4.2
Blackberry
OS
Android
v2.2
Windows
Phone 7

Authentication
￿￿￿ ￿￿￿ ￿￿ ￿￿
Encryption
and communication security
￿￿￿ ￿￿￿ ￿ ￿
Security extensions

￿ ￿￿￿ ￿￿￿ ￿
Robustness against compromise/infection
￿ ￿￿ ￿ ￿
Administration and policy management
￿ ￿￿￿ ￿ ￿
Security
functionality ￿￿ ￿￿￿ ￿￿ ￿￿
Application security
￿￿ ￿￿￿ ￿￿ ￿￿
3
rd
party certification ￿￿￿
Communication Security Analogy
Transport Defences
•"Using encryption on the Internet is the equivalent of
arranging an armored car to deliver credit card
information from someone living in a cardboard box
to someone living on a park bench.“
(Gene Spafford)
2011.04.28 Mobile App Security - IT Fornebu 6
Usability of entity authentication
Service Provider
Internet
2011.04.28 7 Mobile App Security - IT Fornebu
Application layer user authentication
SSL server authentication
?
Cert.
A phishing example:
Hawaii Federal Credit Union
Genuine bank login
https://hcd.usersonlnet.com/asp/USERS/
Common/Login/NettLogin.asp
Fake bank login
https://hawaiiusafcuhb.com/cgi-
bin/mcw00.cgi?MCWSTART

2011.04.28 8 Mobile App Security - IT Fornebu
Certificate comparison
2011.04.28 Mobile App Security - IT Fornebu 9
Genuine certificate
Fake certificate
The Alice-&-Bob Fallacy
• Message authentication theory assumes that Alice
and Bob perform cryptographic operations
• In reality, client and server computers do that.



• Difficulty of verifying cryptographic operations
inside computers makes it difficult to achieve
meaningful message authentication
2011.04.28 Mobile App Security - IT Fornebu 10
Message authentication
protocol
?
?
Bob
Alice
Failure of user authentication to prevent
attack on message authentication
• In case of MitB (Man-in-the-Browser) attack, the server
“authenticates” messages from attacker, not from user.
• Semantically, this is not message authentication
• User authentication does not prevent this attack
Message authentication
protocol
?
User authentication
protocol
Server
MitB
Malware
Client
User
2011.04.28 11 Mobile App Security - IT Fornebu
OTP calc.
Combined user and message authentication
through integrated dual-channel protocol
1.Specify destination account and
amount
2.Transaction data transmission
3.SMS with authentication code,
destination account and amount
4.View SMS
5.Verify transaction data in SMS
6.If transaction is correct, copy
authentication code to browser
7.Transmit authentication code
8.Verify authentication code.
If OK, execute transaction.
Cellular
Internet
6
2
3
Bank
Server
Client
Mobile phone
5
1
4
User
7
8
2011.04.28 12 Mobile App Security - IT Fornebu
Man-in-the-mobile attack
• ZeuS & SpyEye Trojans are already targeting bank
transactions with 2-factor authentication
• Zeus MitM (Man-in-the-Mobile) Trojan for mobile
phones send the received authentication code to the
attacker
2011.04.28 Mobile App Security - IT Fornebu 13
Cellular
Internet
2
3
Bank
Server
Client
Mobile
phone
1
User
6
Hacker
4
5
MitM
Malware
Illegal
transaction
Security / Usability Trade-off
• In many cases a trade-off exists between usability
and theoretical security.
• It may be meaningful to reduce the level of
theoretical security to improve the overall level of
actual security.

2011.04.28 14 Mobile App Security - IT Fornebu
Security
Usability
Mobile security conflicts of interest
2011.04.28 Mobile App Security - IT Fornebu 15
User /
Employee
OS/phone
manufacturer
Telco
Company /
Government
Hacker
That’s all
2011.04.28 16 Mobile App Security - IT Fornebu