The document discusses mobile application security, outlining the need for improved security measures due to the rise of fraudulent apps that exploit mobile vulnerabilities for financial gain. It compares the security frameworks of major platforms like Apple and Google, highlighting disparities in application testing and developer signing requirements. The document also presents user-centric security solutions, such as notarized call recording and premium charge warnings, aimed at empowering consumers to manage their own security and financial information.

1. Mobile Application Security and Mobile Security Applications: Sticks and Carrots30 September 2011Craig HeathIndependent Mobile Security Consultant

2. TopicsWho the [heck] are you?Why can’t you turn this [stupid] security off?Comparing security frameworks on the main platformsWhat’s in it for me?Security apps that vendors and operators aren’t doingNotarised call recordingPremium charge warningTrustworthy viewport30 September 20112© Franklin Heath Ltd

3. My BackgroundWorking in systems software security since 1989UNIX and Enterprise JavaFocus on mobile platforms since 2002Responsible for Symbian’s platform security strategyLead author of the book “Symbian OS Platform Security”Chief Security Technologist at the Symbian FoundationNow providing independent security consultancySet up Franklin Heath Ltd in November 201030 September 20113© Franklin Heath Ltd

4. Why We Need Application SecurityBad guys are deploying malicious phone apps to defraud people for commercial gainStealing virtual goods and creditsPremium rate messaging fraudPhishing (e.g. banking MTANs)People need and expect their phones to be more trustworthy than their PCs have beenEmergency callsPersonal data (e.g. location, contacts, photos)30 September 20114© Franklin Heath Ltd

5. Fraudulent Apps are Real30 September 20115© Franklin Heath Ltd

6. Mobile Device Security and Privacy Does MatterOrganised crime is monetising mobile vulnerabilitiesZitMo in Europe, trojans in China and RussiaPhone software platforms are becoming more uniformEasier to target a bigger “addressable market”Android market share increasing, iPhone steadyBut don’t forget “legacy” Symbian devices (still 100s of millions)Widespread privacy breaches are sensitising peoplee.g. Sony PlayStation NetworkWSJ coverage of bad practice in mobile applications30 September 20116© Franklin Heath Ltd

7. Comparing Application TestingApple and Google are two extremes of approachiTunes app store inspects every application and can reject for arbitrary reasonsGood for consumers, bad for developersAndroid Market “common carrier” approach: pass though everything submitted, remove apps only if complaints madeGood for developers, bad for consumersSymbian Signed did standardised third-party testingMiddle ground, manages costs, but provides little defence against deliberate malwareNote that Nokia app store adds additional manual QA inspection30 September 20117© Franklin Heath Ltd

8. Comparing Application SigningDeveloper signing requirements varyAndroid: “self-signed”, free to create a certificateiPhone: Apple developer registration includes certificate costSymbian Signed required a third-party, $200, certificateSigning party for “production” apps also variesiTunes, Amazon uses only an app store signatureAndroid Market uses only the developer signatureSymbian Signed uses only the certifier signature30 September 20118© Franklin Heath Ltd

9. Comparing Copy ProtectioniTunes app store uses Apple proprietary FairPlay DRMAndroid Market doesn’t provide automatic copy protection, but Google provides libraries for developers to invoke a licence serverNokia app store has lightweight “forward lock” copy protection30 September 20119© Franklin Heath Ltd

10. Opportunity: Put the User in ControlWays to benefit end user, not the vendor or operatorCorrecting “information asymmetries” to benefit consumersMore usable control over personal information sharingTools for the paranoid (or security professional )Putting users in control of their own data and their own charges is the right thing to doBut usability is keyDon’t cause security prompt blindnessDon’t put the responsibility on them as a cop-out1030 September 2011© Franklin Heath Ltd

11. Idea 1: Notarised Call Recording“Reciprocal Transparency” – who watches the watchers?When you call a utility company, do you hear “this call may be recorded”?it’s being recorded for their benefit, not yoursHave you ever been told they will do something, but when you call back: “I’m sorry, I have no record of that”?probably they do, but you can’t prove it: information asymmetryWhy isn’t this built in to my phone?Hypothesis: difficult to do legally in all jurisdictions?30 September 201111© Franklin Heath Ltd

12. Idea 1: Notarised Call RecordingWhat can be done?Even a simple recording would help, with the call logbut unlikely to be good enough evidence to use in courtCould combine this with a “digital notary”take a hash of the recording (prevents future tampering)have the hash signed by a trusted third party with a time stampproves that the recording was made at or before that timeMake sure it’s legal in the UKPlay a recorded announcement at the start? (= reciprocal)30 September 201112© Franklin Heath Ltd

13. Idea 2: Premium Charge WarningPremium rate voice and SMS service providers in the UK are required by law to advise consumers of their charges in advancebut they haven’t always done this is the most obvious waymalware isn’t going to respect thisIn the UK, you can discover the charges with a free SMS (76787)also available as a web-based online number checkerbut I doubt many people use this regularlyIt would be much more useful if your phone did this for youoperators may not like this (could discourage use of legitimate services)30 September 201113© Franklin Heath Ltd

14. Idea 2: Premium Charge WarningWhat can be done?Filter to check numbers your phone is calling and texting, and warning before the call is placed if it’s premium rate“allow this application to spend 50p?” would be far more usable than “allow this application to make phone calls and send text messages?”Could be extended to enforce rules, e.g.allow this application to spend up to £5allow this application to send 2 texts per dayBut, data isn’t easily available, and the hooks aren’t easily accessible on all phone platformsa “proof of concept” app could allow pressure to be brought30 September 201114© Franklin Heath Ltd

15. Idea 2: Premium Charge WarningProof-of-concept PossibilitiesScreen-scraping of the PhonePayPlus number checkerhttp://www.phonepayplus.org.uk/Number-Checker/Check-a-Number-Results.aspx?ncn=numberTrapping the call/SMS before it’s sentOn Android, ACTION_NEW_OUTGOING_CALL broadcast action allows voice calls to be interceptedNo equivalent for SMS?Charge information for number ranges is available commerciallyCould it be a marketing opportunity for the holders to make it available for free in some way, limited to this purpose?Could it be made available as part of government Open Data?30 September 201115© Franklin Heath Ltd

16. Idea 3: Trustworthy ViewportTypical desktop web commerce model is for the user to enter a password to confirm the transactionOK if the user confirms they are giving it to the payment provider and not to a “phishing” siteMobile browsers lack the visual security cuesNo room on a small screen for the window “chrome”Apps can draw on the entire display areaDesktop model of entering password to authorize the transaction is dangerous on mobile30 September 201116© Franklin Heath Ltd

17. Examples of Insecure Mobile Experience for In-App Payments30 September 201117© Franklin Heath Ltd

18. Idea 3: Trustworthy ViewportWhat can be done?Have a “helper” app provide the UI for password entryShow the user something that a malicious app can’te.g. Yahoo! “sign-in seal”, 3D Secure “Personal Assurance Message”Couple that with a clear indication of the origin of the view contentsc.f. Internet Explorer highlighting the 2nd level domain, Firefox green background for EV server certificates, etc.Wrapper for Android WebView?30 September 201118© Franklin Heath Ltd

19. Open Discussion…30 September 201119© Franklin Heath Ltd