• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Assessing Mobile Device Platforms (E-Government, M-Government context)
 

Assessing Mobile Device Platforms (E-Government, M-Government context)

on

  • 302 views

http://link.springer.com/chapter/10.1007%2F978-3-642-40160-2_11

http://link.springer.com/chapter/10.1007%2F978-3-642-40160-2_11

Statistics

Views

Total Views
302
Views on SlideShare
302
Embed Views
0

Actions

Likes
1
Downloads
12
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Assessing Mobile Device Platforms (E-Government, M-Government context) Assessing Mobile Device Platforms (E-Government, M-Government context) Presentation Transcript

    • IAIK Assessing Mobile Device Platforms EGOVIS 2013 Thomas Zefferer, Sandra Kreuzhuber, Peter Teufl
    • IAIK Background A-SIT: Security consulting for public insititutions IAIK: IT security research Combination: Awesome :-) Thomas Zefferer Sandra Kreuzhuber Peter Teufl A-SIT
    • IAIK Mobile Device Security Sensitive data Location, documents, credentials etc. Problems Threats: theft, malicious software etc. Heterogeneous platforms iOS, Android, Windows Phone, Windows Store, Blackberry, ... Complexity: securing the systems developing secure applications
    • IAIK Deployment Scenarios E-Gov/M-Gov context Use Cases Internal usage (public/private sector): Mobile-Device-Management (MDM) solution Bring-Your-Own-Device (BYOD) Citizen Citizen applications (within M-Gov context)
    • IAIK Internal Use - MDM Security policy modeled via MDM system Mobile device locked down according to policy/requirements PLUS Most secure deployment scenario MINUS Not possibile for citizen applications Internal use: pressure by BYOD concept
    • IAIK Internal Use - BYOD Device belongs to the user No MDM deployment Deployment of BYOD solutions on the user’s device (container applications, application wrapping) PLUS User has full control over the device MINUS Security! Legal and technical issues
    • IAIK Citizen - MGov Applications Applications developed for the citizen Probably handling of critical data (personal data, etc.) Similar considerations as for BYOD (however even fewer restrictions) Considerations are also valid for non M-Gov apps Banking apps, password safes, theft protection apps etc.
    • IAIK Assets, Threats Assets Data: credentials, application data, location, emails, SMS, contacts, usage patterns ... ... ... Threats Theft Malware
    • IAIK Platform Security Features Data Protection Access protection Encryption Secure storage of credentials MDM Malware Resistance Application APIs, sources Permission system Rooting, jailbreaking? OS security Updates, fragmentation Security Analysis?
    • IAIK Access protection, encryption, secure storage of credentials How does the encryption system work? Is encryption based on a hardware element? Is the user’s PIN involved in the key derivation function? What is the scope of the encryption system? What does the developer need to know? How are backups encrypted? Access Protection
    • IAIK Example: iOS/Android Encryption Lock- Screen Type Length Chars Number of passcodes Brute-Force Days Numerical 4 10 10000 0.0 6 10 1000000 0.9 8 10 100000000 92.6 10 10 10000000000 9,259.3 Alphanum 4 36 1679616 1.6 10/26 letters 6 36 2176782336 2,015.5 7 36 78364164096 72,559.4 8 36 2.82111E+12 2,612,138.8 9 36 1.0156E+14 94,036,996.9 10 36 3.65616E+15 3,385,331,888.9 Alphanum 4 62 14776336 13.7 5 62 916132832 848.3 10/52 letters 6 62 56800235584 52,592.8 7 62 3.52161E+12 3,260,754.3 8 62 2.1834E+14 202,166,764.4 9 62 1.35371E+16 12,534,339,394.7 Complex 4 107 131079601 121.4 5 107 14025517307 12,986.6 6 107 1.50073E+12 1,389,565.1 7 107 1.60578E+14 148,683,470.0 8 107 1.71819E+16 15,909,131,294.7 iOS on device Brute-Force Days 1 instance Brute-Force Days (1000 instances) Cost $ On-Demand Instances 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 1.3 2.6 0.0 133.3 0.0 0.0 0.0 0.6 0.0 29.0 20.7 0.0 1,044.9 746.3 0.7 37,614.8 26,867.7 26.9 1,354,132.8 967,237.7 967.2 48,748,779.2 0.0 0.0 0.2 0.2 0.0 12.2 15.0 0.0 757.3 931.6 0.9 46,954.9 57,761.9 57.8 2,911,201.4 3,581,239.8 3,581.2 180,494,487.3 0.0 0.0 1.7 3.7 0.0 187.0 397.0 0.4 20,009.7 42,481.0 42.5 2,141,042.0 4,545,466.1 4,545.5 229,091,490.6 Android Amazon GPUAndroid Amazon GPU GPU Price
    • IAIK Mobile Device Management Mobile Device Management (MDM) Which rules? How is the system integrated into the mobile device OS? Fragmentation?
    • IAIK Applications Application sources? Defined markets? Alternative sources (email, etc.)? Application APIs? Security, system integration etc. Security: What does the developer need to know? Permission System? Usability, which permissions?
    • IAIK Core Security OS security low level malware protection (buffer overflows, sandboxes, operating sytem architecture, programming languages) Updates, fragmentation Updates? Fragmentation of OS versions? Fragmentations of functionality (due to extensions of the OS)?
    • IAIK Platform Security - Managed Managed devices Which criteria? MDM, MAM: functionality! Applications (when not restricted) Data Protection (mainly encryption) MDM Security Config MAM App App App App Smartphone
    • IAIK BYOD Challenging in terms of security (and also legal considerations)! Device is not managed! Activation of OS security features depends on the user Solutions: Container applications Application wrappers OS integrated solutions (Blackberry Balance)
    • IAIK MDM, BYOD MDM Security Config MAM App App App App Smartphone Container App Management Security Config Contai ner App App App Smartphone Application Wrapper Management Security Config Smartphone App App App App MDM Security Config MAM Business Area App App Security Config Private Area Smartphone App App MDM Container App App Wrappers Blackberry Balance
    • IAIK BYOD Container Applications Provide mail, contacts browser, calendar secure file storage in a specific application Application cannot assume a secure environment: Needs to implement its own security features encryption, secure communication, root/jailbreak checks highly platform specific (need to know the security features, APIs etc.)
    • IAIK Example Container applications (also valid for mGov applications with sensitive data) Key Derivation (from password to encryption key) is a key requirement for secure encryption systems Key derivation principles Salt (no pre-calculated password tables Long derivation time (e.g. 80ms per passcode, on iOS) Need to have cryptographic knowhow to get it right Mistakes: simple brute-force attacks... Data encryption key Passcode Key derivation Derived key Salt
    • IAIK Example Brute-Force Days 0.0 0.9 92.6 9,259.3 1.6 2,015.5 72,559.4 2,612,138.8 94,036,996.9 3,385,331,888.9 13.7 848.3 52,592.8 3,260,754.3 202,166,764.4 12,534,339,394.7 121.4 12,986.6 1,389,565.1 148,683,470.0 15,909,131,294.7 iOS on device Lock-Screen Type Length Chars Number of passcodes Brute-Force DaysBrute-Force Days Cost $ GPU Numerical 4 10 10000 0.0 0.0 0.0 6 10 1000000 0.0 0.0 0.0 8 10 100000000 0.0 0.0 0.0 10 10 10000000000 0.2 0.0 0.0 Alphanum 4 36 1679616 0.0 0.0 0.0 10/26 letters 6 36 2176782336 0.0 0.0 0.0 7 36 78364164096 1.3 0.0 0.2 8 36 2.82111E+12 46.6 0.0 8.3 9 36 1.0156E+14 1,679.2 1.7 299.0 10 36 3.65616E+15 60,452.4 60.5 10,763.7 Alphanum 4 62 14776336 0.0 0.0 0.0 5 62 916132832 0.0 0.0 0.0 10/52 letters 6 62 56800235584 0.9 0.0 0.2 7 62 3.52161E+12 58.2 0.1 10.4 8 62 2.1834E+14 3,610.1 3.6 642.8 9 62 1.35371E+16 223,827.5 223.8 39,852.9 Complex 4 107 131079601 0.0 0.0 0.0 5 107 14025517307 0.2 0.0 0.0 6 107 1.50073E+12 24.8 0.0 4.4 7 107 1.60578E+14 2,655.1 2.7 472.7 8 107 1.71819E+16 284,091.6 284.1 50,583.1
    • IAIK Citizen Application Citizen applications for handling criticial data (similar to banking apps, password safes) same considerations as for container applications arbitrary environment (even less restricted as in BYOD), devices, versions threat of malware (arbitrary application sources, malware)
    • IAIK Best Practice Managed iOS: encryption, MDM, application security/features Android: highly depends on the platform! Stock Android: Lacking important MDM features! Windows Phone/Windows Store: Lacking MDM features, VPN (8.1 update...), otherwise comparable to iOS Blackberry: Balance Framework! Good architecture.
    • IAIK Best Practice BYOD Blackberry: Balance framework: Huge plus (integrated BYOD solution) iOS, Windows Phone/Store: Huge advantages over Android Android: Alternative sources, deeply integrated system APIs, malware situation
    • IAIK Best Practice Citizen App No platform choice, market and users decide Developing apps which handle sensitive data Know the platforms, their security features, weaknesses Development by a security aware team: cryptography, IT security, detailed knowledge about the platforms Keep data on the device limited iOS, Windows Phone, Blackberry easier to handle. Android ???
    • IAIK References, Contact peter.teufl@iaik.tugraz.at thomas.zefferer@iaik.tugraz.at Refs: https://sites.google.com/site/acnws2012/ http://www.iaik.tugraz.at/content/about_iaik/people/teufl_peter/ contact me if you need the PDFs, slides
    • IAIK Thx, and enjoy Praha!