Assessing Mobile Device Platforms (E-Government, M-Government context)
Thomas Zefferer, Sandra Kreuzhuber, Peter Teuﬂ
A-SIT: Security consulting for public insititutions
IAIK: IT security research
Combination: Awesome :-)
Thomas Zefferer Sandra Kreuzhuber Peter Teuﬂ
Mobile Device Security
Location, documents, credentials etc.
Threats: theft, malicious software etc.
iOS, Android, Windows Phone,
Windows Store, Blackberry, ...
Complexity: securing the systems
developing secure applications
Internal Use - MDM
Security policy modeled via MDM system
Mobile device locked down according to
Most secure deployment scenario
Not possibile for citizen applications
Internal use: pressure by BYOD concept
Internal Use - BYOD
Device belongs to the user
No MDM deployment
Deployment of BYOD solutions on the user’s device
(container applications, application wrapping)
User has full control over the device
Legal and technical issues
Citizen - MGov Applications
Applications developed for the citizen
Probably handling of critical data (personal data, etc.)
Similar considerations as for BYOD (however even fewer restrictions)
Considerations are also valid for non M-Gov apps
Banking apps, password safes, theft protection apps etc.
Platform Security Features
Secure storage of credentials
Application APIs, sources
Access protection, encryption, secure storage of credentials
How does the encryption system work?
Is encryption based on a hardware element?
Is the user’s PIN involved in the key derivation function?
What is the scope of the encryption system?
What does the developer need to know?
How are backups encrypted?
Mobile Device Management
Mobile Device Management (MDM)
How is the system integrated
into the mobile device OS?
Application sources? Deﬁned markets? Alternative sources (email, etc.)?
Security, system integration etc.
Security: What does the developer
need to know?
Usability, which permissions?
low level malware protection (buffer overﬂows, sandboxes, operating
sytem architecture, programming languages)
Fragmentation of OS versions?
Fragmentations of functionality (due to extensions of the OS)?
Platform Security - Managed
MDM, MAM: functionality!
Applications (when not restricted)
Data Protection (mainly encryption)
MAM App App
Challenging in terms of security
(and also legal considerations)!
Device is not managed!
Activation of OS security features depends on the user
OS integrated solutions (Blackberry Balance)
MAM App App
App Wrappers Blackberry
Provide mail, contacts
secure ﬁle storage in a speciﬁc application
Application cannot assume a secure
Needs to implement its own security features
encryption, secure communication, root/jailbreak checks
highly platform speciﬁc
(need to know the security features, APIs etc.)
Container applications (also valid for mGov applications with sensitive data)
Key Derivation (from password to encryption key)
is a key requirement for secure encryption systems
Key derivation principles
Salt (no pre-calculated password tables
Long derivation time (e.g. 80ms per passcode, on iOS)
Need to have cryptographic knowhow to get it right
Mistakes: simple brute-force attacks...
Citizen applications for handling criticial data
(similar to banking apps, password safes)
same considerations as for container applications
arbitrary environment (even less restricted as in BYOD), devices, versions
threat of malware (arbitrary application sources, malware)
Best Practice Managed
encryption, MDM, application security/features
highly depends on the platform!
Stock Android: Lacking important MDM features!
Windows Phone/Windows Store:
Lacking MDM features, VPN (8.1 update...), otherwise comparable to iOS
Blackberry: Balance Framework! Good architecture.
Best Practice BYOD
Balance framework: Huge plus (integrated BYOD solution)
iOS, Windows Phone/Store:
Huge advantages over Android
Alternative sources, deeply integrated system APIs, malware situation
Best Practice Citizen App
No platform choice, market and users decide
Developing apps which handle sensitive data
Know the platforms, their security features, weaknesses
Development by a security aware team: cryptography, IT security,
detailed knowledge about the platforms
Keep data on the device limited
iOS, Windows Phone, Blackberry easier to handle. Android ???
contact me if you need the PDFs, slides