IAIK
Assessing
Mobile Device
Platforms
EGOVIS 2013
Thomas Zefferer, Sandra Kreuzhuber, Peter Teufl
IAIK
Background
A-SIT: Security consulting for public insititutions
IAIK: IT security research
Combination: Awesome :-)
Th...
IAIK
Mobile Device Security
Sensitive data
Location, documents, credentials etc.
Problems
Threats: theft, malicious softwa...
IAIK
Deployment Scenarios
E-Gov/M-Gov context
Use Cases
Internal usage (public/private sector):
Mobile-Device-Management (...
IAIK
Internal Use - MDM
Security policy modeled via MDM system
Mobile device locked down according to
policy/requirements
...
IAIK
Internal Use - BYOD
Device belongs to the user
No MDM deployment
Deployment of BYOD solutions on the user’s device
(c...
IAIK
Citizen - MGov Applications
Applications developed for the citizen
Probably handling of critical data (personal data,...
IAIK
Assets, Threats
Assets
Data:
credentials, application data, location, emails, SMS, contacts, usage
patterns ... ... ....
IAIK
Platform Security Features
Data Protection
Access protection
Encryption
Secure storage of credentials
MDM
Malware Res...
IAIK
Access protection, encryption, secure storage of credentials
How does the encryption system work?
Is encryption based...
IAIK
Example: iOS/Android Encryption
Lock-
Screen
Type Length Chars
Number of
passcodes
Brute-Force
Days
Numerical 4 10 10...
IAIK
Mobile Device Management
Mobile Device Management (MDM)
Which rules?
How is the system integrated
into the mobile dev...
IAIK
Applications
Application sources? Defined markets? Alternative sources (email, etc.)?
Application APIs?
Security, syst...
IAIK
Core Security
OS security
low level malware protection (buffer overflows, sandboxes, operating
sytem architecture, pro...
IAIK
Platform Security - Managed
Managed devices
Which criteria?
MDM, MAM: functionality!
Applications (when not restricte...
IAIK
BYOD
Challenging in terms of security
(and also legal considerations)!
Device is not managed!
Activation of OS securi...
IAIK
MDM, BYOD
MDM
Security Config
MAM App App
App App
Smartphone
Container App
Management
Security Config
Contai
ner
App
Ap...
IAIK
BYOD
Container Applications
Provide mail, contacts
browser, calendar
secure file storage in a specific application
Appl...
IAIK
Example
Container applications (also valid for mGov applications with sensitive data)
Key Derivation (from password t...
IAIK
Example
Brute-Force
Days
0.0
0.9
92.6
9,259.3
1.6
2,015.5
72,559.4
2,612,138.8
94,036,996.9
3,385,331,888.9
13.7
848....
IAIK
Citizen Application
Citizen applications for handling criticial data
(similar to banking apps, password safes)
same c...
IAIK
Best Practice Managed
iOS:
encryption, MDM, application security/features
Android:
highly depends on the platform!
St...
IAIK
Best Practice BYOD
Blackberry:
Balance framework: Huge plus (integrated BYOD solution)
iOS, Windows Phone/Store:
Huge...
IAIK
Best Practice Citizen App
No platform choice, market and users decide
Developing apps which handle sensitive data
Kno...
IAIK
References, Contact
peter.teufl@iaik.tugraz.at
thomas.zefferer@iaik.tugraz.at
Refs:
https://sites.google.com/site/acnw...
IAIK
Thx, and enjoy Praha!
Upcoming SlideShare
Loading in...5
×

Assessing Mobile Device Platforms (E-Government, M-Government context)

333

Published on

http://link.springer.com/chapter/10.1007%2F978-3-642-40160-2_11

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
333
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
24
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Assessing Mobile Device Platforms (E-Government, M-Government context)

  1. 1. IAIK Assessing Mobile Device Platforms EGOVIS 2013 Thomas Zefferer, Sandra Kreuzhuber, Peter Teufl
  2. 2. IAIK Background A-SIT: Security consulting for public insititutions IAIK: IT security research Combination: Awesome :-) Thomas Zefferer Sandra Kreuzhuber Peter Teufl A-SIT
  3. 3. IAIK Mobile Device Security Sensitive data Location, documents, credentials etc. Problems Threats: theft, malicious software etc. Heterogeneous platforms iOS, Android, Windows Phone, Windows Store, Blackberry, ... Complexity: securing the systems developing secure applications
  4. 4. IAIK Deployment Scenarios E-Gov/M-Gov context Use Cases Internal usage (public/private sector): Mobile-Device-Management (MDM) solution Bring-Your-Own-Device (BYOD) Citizen Citizen applications (within M-Gov context)
  5. 5. IAIK Internal Use - MDM Security policy modeled via MDM system Mobile device locked down according to policy/requirements PLUS Most secure deployment scenario MINUS Not possibile for citizen applications Internal use: pressure by BYOD concept
  6. 6. IAIK Internal Use - BYOD Device belongs to the user No MDM deployment Deployment of BYOD solutions on the user’s device (container applications, application wrapping) PLUS User has full control over the device MINUS Security! Legal and technical issues
  7. 7. IAIK Citizen - MGov Applications Applications developed for the citizen Probably handling of critical data (personal data, etc.) Similar considerations as for BYOD (however even fewer restrictions) Considerations are also valid for non M-Gov apps Banking apps, password safes, theft protection apps etc.
  8. 8. IAIK Assets, Threats Assets Data: credentials, application data, location, emails, SMS, contacts, usage patterns ... ... ... Threats Theft Malware
  9. 9. IAIK Platform Security Features Data Protection Access protection Encryption Secure storage of credentials MDM Malware Resistance Application APIs, sources Permission system Rooting, jailbreaking? OS security Updates, fragmentation Security Analysis?
  10. 10. IAIK Access protection, encryption, secure storage of credentials How does the encryption system work? Is encryption based on a hardware element? Is the user’s PIN involved in the key derivation function? What is the scope of the encryption system? What does the developer need to know? How are backups encrypted? Access Protection
  11. 11. IAIK Example: iOS/Android Encryption Lock- Screen Type Length Chars Number of passcodes Brute-Force Days Numerical 4 10 10000 0.0 6 10 1000000 0.9 8 10 100000000 92.6 10 10 10000000000 9,259.3 Alphanum 4 36 1679616 1.6 10/26 letters 6 36 2176782336 2,015.5 7 36 78364164096 72,559.4 8 36 2.82111E+12 2,612,138.8 9 36 1.0156E+14 94,036,996.9 10 36 3.65616E+15 3,385,331,888.9 Alphanum 4 62 14776336 13.7 5 62 916132832 848.3 10/52 letters 6 62 56800235584 52,592.8 7 62 3.52161E+12 3,260,754.3 8 62 2.1834E+14 202,166,764.4 9 62 1.35371E+16 12,534,339,394.7 Complex 4 107 131079601 121.4 5 107 14025517307 12,986.6 6 107 1.50073E+12 1,389,565.1 7 107 1.60578E+14 148,683,470.0 8 107 1.71819E+16 15,909,131,294.7 iOS on device Brute-Force Days 1 instance Brute-Force Days (1000 instances) Cost $ On-Demand Instances 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 1.3 2.6 0.0 133.3 0.0 0.0 0.0 0.6 0.0 29.0 20.7 0.0 1,044.9 746.3 0.7 37,614.8 26,867.7 26.9 1,354,132.8 967,237.7 967.2 48,748,779.2 0.0 0.0 0.2 0.2 0.0 12.2 15.0 0.0 757.3 931.6 0.9 46,954.9 57,761.9 57.8 2,911,201.4 3,581,239.8 3,581.2 180,494,487.3 0.0 0.0 1.7 3.7 0.0 187.0 397.0 0.4 20,009.7 42,481.0 42.5 2,141,042.0 4,545,466.1 4,545.5 229,091,490.6 Android Amazon GPUAndroid Amazon GPU GPU Price
  12. 12. IAIK Mobile Device Management Mobile Device Management (MDM) Which rules? How is the system integrated into the mobile device OS? Fragmentation?
  13. 13. IAIK Applications Application sources? Defined markets? Alternative sources (email, etc.)? Application APIs? Security, system integration etc. Security: What does the developer need to know? Permission System? Usability, which permissions?
  14. 14. IAIK Core Security OS security low level malware protection (buffer overflows, sandboxes, operating sytem architecture, programming languages) Updates, fragmentation Updates? Fragmentation of OS versions? Fragmentations of functionality (due to extensions of the OS)?
  15. 15. IAIK Platform Security - Managed Managed devices Which criteria? MDM, MAM: functionality! Applications (when not restricted) Data Protection (mainly encryption) MDM Security Config MAM App App App App Smartphone
  16. 16. IAIK BYOD Challenging in terms of security (and also legal considerations)! Device is not managed! Activation of OS security features depends on the user Solutions: Container applications Application wrappers OS integrated solutions (Blackberry Balance)
  17. 17. IAIK MDM, BYOD MDM Security Config MAM App App App App Smartphone Container App Management Security Config Contai ner App App App Smartphone Application Wrapper Management Security Config Smartphone App App App App MDM Security Config MAM Business Area App App Security Config Private Area Smartphone App App MDM Container App App Wrappers Blackberry Balance
  18. 18. IAIK BYOD Container Applications Provide mail, contacts browser, calendar secure file storage in a specific application Application cannot assume a secure environment: Needs to implement its own security features encryption, secure communication, root/jailbreak checks highly platform specific (need to know the security features, APIs etc.)
  19. 19. IAIK Example Container applications (also valid for mGov applications with sensitive data) Key Derivation (from password to encryption key) is a key requirement for secure encryption systems Key derivation principles Salt (no pre-calculated password tables Long derivation time (e.g. 80ms per passcode, on iOS) Need to have cryptographic knowhow to get it right Mistakes: simple brute-force attacks... Data encryption key Passcode Key derivation Derived key Salt
  20. 20. IAIK Example Brute-Force Days 0.0 0.9 92.6 9,259.3 1.6 2,015.5 72,559.4 2,612,138.8 94,036,996.9 3,385,331,888.9 13.7 848.3 52,592.8 3,260,754.3 202,166,764.4 12,534,339,394.7 121.4 12,986.6 1,389,565.1 148,683,470.0 15,909,131,294.7 iOS on device Lock-Screen Type Length Chars Number of passcodes Brute-Force DaysBrute-Force Days Cost $ GPU Numerical 4 10 10000 0.0 0.0 0.0 6 10 1000000 0.0 0.0 0.0 8 10 100000000 0.0 0.0 0.0 10 10 10000000000 0.2 0.0 0.0 Alphanum 4 36 1679616 0.0 0.0 0.0 10/26 letters 6 36 2176782336 0.0 0.0 0.0 7 36 78364164096 1.3 0.0 0.2 8 36 2.82111E+12 46.6 0.0 8.3 9 36 1.0156E+14 1,679.2 1.7 299.0 10 36 3.65616E+15 60,452.4 60.5 10,763.7 Alphanum 4 62 14776336 0.0 0.0 0.0 5 62 916132832 0.0 0.0 0.0 10/52 letters 6 62 56800235584 0.9 0.0 0.2 7 62 3.52161E+12 58.2 0.1 10.4 8 62 2.1834E+14 3,610.1 3.6 642.8 9 62 1.35371E+16 223,827.5 223.8 39,852.9 Complex 4 107 131079601 0.0 0.0 0.0 5 107 14025517307 0.2 0.0 0.0 6 107 1.50073E+12 24.8 0.0 4.4 7 107 1.60578E+14 2,655.1 2.7 472.7 8 107 1.71819E+16 284,091.6 284.1 50,583.1
  21. 21. IAIK Citizen Application Citizen applications for handling criticial data (similar to banking apps, password safes) same considerations as for container applications arbitrary environment (even less restricted as in BYOD), devices, versions threat of malware (arbitrary application sources, malware)
  22. 22. IAIK Best Practice Managed iOS: encryption, MDM, application security/features Android: highly depends on the platform! Stock Android: Lacking important MDM features! Windows Phone/Windows Store: Lacking MDM features, VPN (8.1 update...), otherwise comparable to iOS Blackberry: Balance Framework! Good architecture.
  23. 23. IAIK Best Practice BYOD Blackberry: Balance framework: Huge plus (integrated BYOD solution) iOS, Windows Phone/Store: Huge advantages over Android Android: Alternative sources, deeply integrated system APIs, malware situation
  24. 24. IAIK Best Practice Citizen App No platform choice, market and users decide Developing apps which handle sensitive data Know the platforms, their security features, weaknesses Development by a security aware team: cryptography, IT security, detailed knowledge about the platforms Keep data on the device limited iOS, Windows Phone, Blackberry easier to handle. Android ???
  25. 25. IAIK References, Contact peter.teufl@iaik.tugraz.at thomas.zefferer@iaik.tugraz.at Refs: https://sites.google.com/site/acnws2012/ http://www.iaik.tugraz.at/content/about_iaik/people/teufl_peter/ contact me if you need the PDFs, slides
  26. 26. IAIK Thx, and enjoy Praha!
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×