Mobile Application Server-Side
Security Peculiarities
Indrek Saar, Software Security Architect, Playtech
Kristjan Habicht, Architect, Playtech
7th September 2009

What is different?

What is different?
• Transport layer security
• Available encryption methods
• Getting random
• Servlet container disadvantages
• Client-server protocol optimizations
• Fat server - thin client

Transport layer security methods
• Cannot use plain sockets:
• “Suspicious” traffic is blocked
• Prefer port 80 and http
• Using https creates fake security impression
• From device to operator non-SSL
• From operator to service SSL
 We do custom encryption inside http

Available encryption methods
• All clients are different
• J2ME versions are different
We cannot rely on platforms crypto methods
• Client hardware is weakness: memory, CPU, bandwith
• Devices are too slow for standard methods
 We have implemented our own encryption scheme

Custom encryption scheme
• PKI + AES
• Implements known procedures for
• Handshake, key exchange
• Replay attack mitigation
 Server-side must support this

Getting random
• Mainly for previous slide: for data encryption scheme
• Problem: J2ME JVM are not able to provide secure
random
 Get it from user!

Servlet container disadvantages
• According to Servlet standard:
• New Java thread for each request
• Mobile proxy as "translator"
• Small requests waiting for other services
• It does not scale
 Custom HTTP with NIO

Client-server protocol optimizations
• Saving bandwith
• Saving volume transferred
 Optimize client-server commands
 Less legacy clients

Fat server – thin client
• Frequent client update is problematic
• Dynamic screens: our own html
• Some more calculations done on server

Other issue worth to mention
• Certificate problem
• Missing proper list of root CA’s on phones
• Annoying warnings when downloaded file is signed with
"unkown" certificate
• Problematic use native https

Thank you for listening!
indrek.saar@playtech.com
kristjan.habicht@playtech.com