Indrek Saar: "Mobile Application Server-Side Security Peculiarities" - Presentation Transcript
Mobile Application Server-Side
Security Peculiarities
Indrek Saar, Software Security Architect, Playtech
Kristjan Habicht, Architect, Playtech
7th September 2009
What is different?
What is different?
• Transport layer security
• Available encryption methods
• Getting random
• Servlet container disadvantages
• Client-server protocol optimizations
• Fat server - thin client
Transport layer security methods
• Cannot use plain sockets:
• “Suspicious” traffic is blocked
• Prefer port 80 and http
• Using https creates fake security impression
• From device to operator non-SSL
• From operator to service SSL
We do custom encryption inside http
Available encryption methods
• All clients are different
• J2ME versions are different
We cannot rely on platforms crypto methods
• Client hardware is weakness: memory, CPU, bandwith
• Devices are too slow for standard methods
We have implemented our own encryption scheme
Custom encryption scheme
• PKI + AES
• Implements known procedures for
• Handshake, key exchange
• Replay attack mitigation
Server-side must support this
Getting random
• Mainly for previous slide: for data encryption scheme
• Problem: J2ME JVM are not able to provide secure
random
Get it from user!
Servlet container disadvantages
• According to Servlet standard:
• New Java thread for each request
• Mobile proxy as "translator"
• Small requests waiting for other services
• It does not scale
Custom HTTP with NIO
Fat server – thin client
• Frequent client update is problematic
• Dynamic screens: our own html
• Some more calculations done on server
Other issue worth to mention
• Certificate problem
• Missing proper list of root CA’s on phones
• Annoying warnings when downloaded file is signed with
"unkown" certificate
• Problematic use native https
Thank you for listening!
indrek.saar@playtech.com
kristjan.habicht@playtech.com
0 comments
Post a comment