Indrek Saar: "Mobile Application Server-Side Security Peculiarities"

Mobile Application Server-Side Security Peculiarities Indrek Saar, Software Security Architect, Playtech Kristjan Habicht, Architect, Playtech 7th September 2009

What is different?

What is different? • Transport layer security • Available encryption methods • Getting random • Servlet container disadvantages • Client-server protocol optimizations • Fat server - thin client

Transport layer security methods • Cannot use plain sockets: • “Suspicious” traffic is blocked • Prefer port 80 and http • Using https creates fake security impression • From device to operator non-SSL • From operator to service SSL  We do custom encryption inside http

Available encryption methods • All clients are different • J2ME versions are different We cannot rely on platforms crypto methods • Client hardware is weakness: memory, CPU, bandwith • Devices are too slow for standard methods  We have implemented our own encryption scheme

Custom encryption scheme • PKI + AES • Implements known procedures for • Handshake, key exchange • Replay attack mitigation  Server-side must support this

Getting random • Mainly for previous slide: for data encryption scheme • Problem: J2ME JVM are not able to provide secure random  Get it from user!

Servlet container disadvantages • According to Servlet standard: • New Java thread for each request • Mobile proxy as "translator" • Small requests waiting for other services • It does not scale  Custom HTTP with NIO

Client-server protocol optimizations • Saving bandwith • Saving volume transferred  Optimize client-server commands  Less legacy clients

Fat server – thin client • Frequent client update is problematic • Dynamic screens: our own html • Some more calculations done on server

Other issue worth to mention • Certificate problem • Missing proper list of root CA’s on phones • Annoying warnings when downloaded file is signed with "unkown" certificate • Problematic use native https

Thank you for listening! indrek.saar@playtech.com kristjan.habicht@playtech.com

http://www.momoestonia.com	28
http://www.mobilemonday.net	9
http://www.slideshare.net	1

Indrek Saar: "Mobile Application Server-Side Security Peculiarities"

by Mobile Monday Estonia on Sep 17, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

3 Embeds 38

Statistics

Indrek Saar: "Mobile Application Server-Side Security Peculiarities" — Presentation Transcript