Usable Security for Smartphones

subduedjourneySoftware and s/w Development

Oct 28, 2013 (3 years and 9 months ago)

68 views

Nokia

Research Center

Usable Security
for Smartphones

Cynthia Kuo

Senior Researcher

October 26, 2010

1

Nokia

Research Center

Many Development Platforms

2

http://www.gartner.com/it/page.jsp?id=1421013

Worldwide Smartphone Sales to End Users
by Operating System in 2Q10

Coming soon…

Windows Phone 7

MeeGo (Maemo + Moblin)

BlackBerry Tablet OS


Nokia

Research Center

A Few Usable Security Topics in Smartphones


Better application permissions models


Using smartphones for authentication


Better models for website authentication


Phone
-
friendly CAPTCHAs


Lost or stolen devices / data backup and restoration




3

Nokia

Research Center

Application Permissions: Threat Model

Company Confidential

4

PC


Many users share the same
machine


Protect
users

from one
another


Implement access control on
users’
data

Smartphone


One user, one device


Users may install malicious
applications


Protect

processes

from one
another


Implement

access control on
resources


Protect
business

model

Nokia

Research Center

Application Permissions: Symbian

Company Confidential

5

Symbian signed


Application has passed
certain tests and is signed
against a certificate


Si
gned installation package
contains a list of the
application’s capabilities

Company Confidential

5

Nokia

Research Center

Application Permissions: Symbian

Self
-
signed


Has no capabilities


User

can
grant

capabilities


Blanket



Installation time


One
-
shot



W
hen the requiring
action takes place


Nokia

Research Center

Application Permissions: BlackBerry


Resource grant during installation
and first start


Configurable through menu


May also be configured by
administrator through BlackBerry
Enterprise Server


Application installation


Application permissions


Data that application can access



Company Confidential

7


Nokia

Research Center

Application Permissions: iPhone


Codesigning used for certifying
applications that pass app store
requirements


All apps need to be signed by
Apple's private key(s) to run on
(non
-
jailbroken) iPhone


Password demonstrates user’s
intent to install


No options or requests for resource
access

Company Confidential

8

Nokia

Research Center

Application Permissions: Android


Applications are self
-
signed


Used for continuity (package
updates) and integrity


Android’s blanket grant during
installation


112 Google
-
defined permissions


Developers can define their own
permissions to expose APIs to
other applications


Company Confidential

9

Content from David Barrera

Nokia

Research Center

Using Smartphones for Authentication

10

[ Coming up next! ]

Nokia

Research Center

Better Model for Authenticating Websites

11

Nokia

Research Center

Better CAPTCHAs?

12

Alex

Smolen, Becky Hurwitz, Dhawal Mujumdar, UC Berkeley i213 Spring 2010 Project

Nokia

Research Center

Lost or Stolen Devices / Data Backup and
Restoration


When your phone is your primary device, what happens when you lose it?

Company Confidential

13

Nokia

Research Center

Summary: A Few Usable Security Topics


Better application permissions models


Using smartphones for authentication


Better models for website authentication


Phone
-
friendly CAPTCHAs


Lost or stolen devices / data backup and restoration




14

Nokia

Research Center

Thank You

15

cynthia.kuo@nokia.com