Mobile Security Sticks and Carrots

Mobile Application Security and Mobile Security Applications: Sticks and Carrots
30 September 2011
Craig HeathIndependent Mobile Security Consultant

Topics
Who the [heck] are you?
Why can’t you turn this [stupid] security off?
Comparing security frameworks on the main platforms
What’s in it for me?
Security apps that vendors and operators aren’t doing
Notarised call recording
Premium charge warning
Trustworthy viewport
30 September 2011
2
© Franklin Heath Ltd

My Background
Working in systems software security since 1989
UNIX and Enterprise Java
Focus on mobile platforms since 2002
Responsible for Symbian’s platform security strategy
Lead author of the book “Symbian OS Platform Security”
Chief Security Technologist at the Symbian Foundation
Now providing independent security consultancy
Set up Franklin Heath Ltd in November 2010
30 September 2011
3

Why We Need Application Security
Bad guys are deploying malicious phone apps to defraud people for commercial gain
Stealing virtual goods and credits
Premium rate messaging fraud
Phishing (e.g. banking MTANs)
People need and expect their phones to be more trustworthy than their PCs have been
Emergency calls
Personal data (e.g. location, contacts, photos)
30 September 2011
4

Fraudulent Apps are Real
30 September 2011
5

Mobile Device Security and Privacy Does Matter
Organised crime is monetising mobile vulnerabilities
ZitMo in Europe, trojans in China and Russia
Phone software platforms are becoming more uniform
Easier to target a bigger “addressable market”
Android market share increasing, iPhone steady
But don’t forget “legacy” Symbian devices (still 100s of millions)
Widespread privacy breaches are sensitising people
e.g. Sony PlayStation Network
WSJ coverage of bad practice in mobile applications
30 September 2011
6

Comparing Application Testing
Apple and Google are two extremes of approach
iTunes app store inspects every application and can reject for arbitrary reasons
Good for consumers, bad for developers
Android Market “common carrier” approach: pass though everything submitted, remove apps only if complaints made
Good for developers, bad for consumers
Symbian Signed did standardised third-party testing
Middle ground, manages costs, but provides little defence against deliberate malware
Note that Nokia app store adds additional manual QA inspection
30 September 2011
7

Comparing Application Signing
Developer signing requirements vary
Android: “self-signed”, free to create a certificate
iPhone: Apple developer registration includes certificate cost
Symbian Signed required a third-party, $200, certificate
Signing party for “production” apps also varies
iTunes, Amazon uses only an app store signature
Android Market uses only the developer signature
Symbian Signed uses only the certifier signature
30 September 2011
8

Comparing Copy Protection
iTunes app store uses Apple proprietary FairPlay DRM
Android Market doesn’t provide automatic copy protection, but Google provides libraries for developers to invoke a licence server
Nokia app store has lightweight “forward lock” copy protection
30 September 2011
9

Opportunity: Put the User in Control
Ways to benefit end user, not the vendor or operator
Correcting “information asymmetries” to benefit consumers
More usable control over personal information sharing
Tools for the paranoid (or security professional )
Putting users in control of their own data and their own charges is the right thing to do
But usability is key
Don’t cause security prompt blindness
Don’t put the responsibility on them as a cop-out
10
30 September 2011

Idea 1: Notarised Call Recording
“Reciprocal Transparency” – who watches the watchers?
When you call a utility company, do you hear “this call may be recorded”?
it’s being recorded for their benefit, not yours
Have you ever been told they will do something, but when you call back: “I’m sorry, I have no record of that”?
probably they do, but you can’t prove it: information asymmetry
Why isn’t this built in to my phone?
Hypothesis: difficult to do legally in all jurisdictions?
30 September 2011
11

Idea 1: Notarised Call RecordingWhat can be done?
Even a simple recording would help, with the call log
but unlikely to be good enough evidence to use in court
Could combine this with a “digital notary”
take a hash of the recording (prevents future tampering)
have the hash signed by a trusted third party with a time stamp
proves that the recording was made at or before that time
Make sure it’s legal in the UK
Play a recorded announcement at the start? (= reciprocal)
30 September 2011
12

Idea 2: Premium Charge Warning
Premium rate voice and SMS service providers in the UK are required by law to advise consumers of their charges in advance
but they haven’t always done this is the most obvious way
malware isn’t going to respect this
In the UK, you can discover the charges with a free SMS (76787)
also available as a web-based online number checker
but I doubt many people use this regularly
It would be much more useful if your phone did this for you
operators may not like this (could discourage use of legitimate services)
30 September 2011
13

Idea 2: Premium Charge WarningWhat can be done?
Filter to check numbers your phone is calling and texting, and warning before the call is placed if it’s premium rate
“allow this application to spend 50p?” would be far more usable than “allow this application to make phone calls and send text messages?”
Could be extended to enforce rules, e.g.
allow this application to spend up to £5
allow this application to send 2 texts per day
But, data isn’t easily available, and the hooks aren’t easily accessible on all phone platforms
a “proof of concept” app could allow pressure to be brought
30 September 2011
14

Idea 2: Premium Charge WarningProof-of-concept Possibilities
Screen-scraping of the PhonePayPlus number checker
http://www.phonepayplus.org.uk/Number-Checker/Check-a-Number-Results.aspx?ncn=number
Trapping the call/SMS before it’s sent
On Android, ACTION_NEW_OUTGOING_CALL broadcast action allows voice calls to be intercepted
No equivalent for SMS?
Charge information for number ranges is available commercially
Could it be a marketing opportunity for the holders to make it available for free in some way, limited to this purpose?
Could it be made available as part of government Open Data?
30 September 2011
15

Idea 3: Trustworthy Viewport
Typical desktop web commerce model is for the user to enter a password to confirm the transaction
OK if the user confirms they are giving it to the payment provider and not to a “phishing” site
Mobile browsers lack the visual security cues
No room on a small screen for the window “chrome”
Apps can draw on the entire display area
Desktop model of entering password to authorize the transaction is dangerous on mobile
30 September 2011
16

Examples of Insecure Mobile Experience for In-App Payments
30 September 2011
17

Idea 3: Trustworthy ViewportWhat can be done?
Have a “helper” app provide the UI for password entry
Show the user something that a malicious app can’t
e.g. Yahoo! “sign-in seal”, 3D Secure “Personal Assurance Message”
Couple that with a clear indication of the origin of the view contents
c.f. Internet Explorer highlighting the 2nd level domain, Firefox green background for EV server certificates, etc.
Wrapper for Android WebView?
30 September 2011
18

Open Discussion…
30 September 2011
19

http://lanyrd.com	16
http://lanyrd.com	16
http://beta.babelverse.com	9
http://d.babelverse.com	2
http://www.linkedin.com	2

Mobile Security Sticks and Carrots

by Craig Heath

Accessibility

Categories

Upload Details

Usage Rights

5 Embeds 45

Statistics

Mobile Security Sticks and Carrots Presentation Transcript