Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Paweł Jakub Dawidek: Zarządzanie danymi wrażliwymi w aplikacjach - analiza bezpieczeństwa platform mobilnych.


Published on

Prezentacja pokaże historyczny rozwój platform mobilnych na przykładzie naszego doświadczenia z użycia technologii mobilnych w bankowości elektronicznej/mobilnej oraz przeanalizuje i porówna bezpieczeństwo platform mobilnych.

Published in: Mobile
  • Be the first to comment

  • Be the first to like this

Paweł Jakub Dawidek: Zarządzanie danymi wrażliwymi w aplikacjach - analiza bezpieczeństwa platform mobilnych.

  1. 1. Managing sensitive data in mobile applications Paweł Jakub Dawidek CTO <>
  2. 2. a bit of history
  3. 3. in 2004 we start a company (Wheel Systems) after 12 years... mission not yet fully accomplished, but really soon now in 2005 we deploy CERB (corporate version) for the first time our mission: eliminate static passwords! our product: authentication system (CERB) which uses mobile application as one-time password generator it is 2004, so the name for the app is obvious: JavaToken in 2007 we deploy CERB Banking in Eurobank in 2013 we launch Mobter
  4. 4. JavaToken Can run on (almost) any Java phone Implements AES, SHA256 Fits easily into 30kB limit
  5. 5. challenges
  6. 6. no SSL/TLS (no secure transport) no AppStore, no Google Play no applications signing no secure updates internet communication only during installation no PIN to unlock your phone, no TouchID, etc. not enough power to harden PIN no full disk encryption 30kB application size limit
  7. 7. solutions
  8. 8. .jar contains a secret encrypted using activation code application built-in secret dedicated .jar for every customer activation code provided in bank outpost unpredictable URL send via WAP-Push or SMS (no access for bank’s employees) start identifier challenge compression (9 digits) no local PIN verification (a playing card hint, 6.25%, 625)
  9. 9. technologies available back then
  10. 10. desktop OS vs. mobile OS
  11. 11. application isolation much more secure installation process mobile OSes designed for single user separation between applications autonomous platform (problem when compromised) native apps allow for better security than web sites (eg. certificate pinning)
  12. 12. Android fragmentation problem (two dimensions)
  13. 13. much harder and longer to update for security fixes Android customized by hardware vendors and mobile operators much slower adoption for new security features various security features not available for all hardware vendors
  14. 14. data protection
  15. 15. iOS credit: NCC Group
  16. 16. iOS credit: NCC Group
  17. 17. Android credit: NCC Group
  18. 18. Android credit: NCC Group
  19. 19. Questions?