SlideShare a Scribd company logo

Smartphone Platform Security - What can we learn from Symbian?

C
Craig Heath

Presented at Cambridge Wireless, 15th January 2015.

Technology
1 of 12
Download to read offline
Franklin Heath Ltd Smartphone Platform Security What can we learn from Symbian? Craig Heath Independent Security Consultant 15 Jan 2015
© Franklin Heath Ltd c b CC BY 3.0 Discussion Points  Was Symbian OS platform security a success?  Did developer difficulties with platform security contribute to Symbian’s downfall?  Could those difficulties have been prevented?  Did Symbian’s platform security have anything better than today’s successful platforms? 15 Jan 2015 2
© Franklin Heath Ltd c b CC BY 3.0 Symbian OS Versions 15 Jan 2015 3 Without Platform Security Year Ver. UI Layer Typical Phone 2001 6.0 Series 80 Nokia 9210 2002 6.1 S60 1st Edition+FP1 Nokia 7650 MOAP(S) Fujitsu F2051 7.0 UIQ 2.0 (& 2.1) Sony Ericsson P800 2003 7.0S S60 2nd Edition+FP1 Nokia 6600 2004 8.0a S60 2nd Edition FP2 Nokia 6630 2005 8.1a S60 2nd Edition FP3 Nokia N90 2007 8.1b MOAP(S) Fujitsu F905i With Platform Security Year Ver. UI Layer Typical Phone 2006 9.1 S60 3rd Edition Nokia 3250 UIQ 3.0 Sony Ericsson P990 2007 9.2 S60 3rd Edition FP1 Nokia N95 UIQ 3.1 & 3.2 Motorola Z8 2008 9.3 S60 3rd Edition FP2 Samsung i8510 9.4 S60 5th Edition Nokia 5800 2009 Nokia N97 2010 ^2 MOAP(S) Fujitsu F-07B ^3 S60 Nokia N8 2011 Anna S60 Nokia E6
© Franklin Heath Ltd c b CC BY 3.0 Symbian Platform Security Architecture 15 Jan 2015 4  Run-time controls on system and applications  Based on long-established security principles  e.g. “Trusted Computing Base”, “Least Privilege”  Designed for mobile device use cases  low-level, highly efficient implementation  “Capabilities” determine process privileges  checked by APIs which offer security-relevant services  “Data Caging” protects stored data  protected directories for system and for applications  Secure identifiers (“SIDs”) for applications  verified at install-time
© Franklin Heath Ltd c b CC BY 3.0 Symbian OS New Malware Strains and Variants Per Month 15 Jan 2015 5 0 2 4 6 8 10 12 14 16 18 New Variant First phones introduced with platform security
© Franklin Heath Ltd c b CC BY 3.0 Developer Difficulties 15 Jan 2015 6  Compatibility break  Used as an excuse for fixing accumulated technical debt  Additional complexity  SIDs, data caging, etc.  “How do I know what capabilities I need?”  Difficulty of debugging  “Why can’t you just turn the security off?”  Cost of approval and signing  ...even though it was steadily reduced over time  Delays caused by approval and signing process  Rejections were common
© Franklin Heath Ltd c b CC BY 3.0 Aside: Symbian OS C++  Same language and environment for apps as the OS (and/or UI)  In principle allows third party developers to produce powerful apps  ... but harder to work with in-progress documentation and finicky tools  Non-standard C++ “idioms”  Descriptors, active objects, cleanup stack  ANSI exception handling came too late  Technically good (vastly more power efficient)  ... but steep learning curve  Alternatives were either too little (CDC Java, MIDP Java)  ... or too late (PIPS, Qt) 15 Jan 2015 7
© Franklin Heath Ltd c b CC BY 3.0 Symbian Signed Capability Groups 15 Jan 2015 8 User Extended (System) Extended (Restricted) Manufacturer LocalServices Location NetworkServices ReadUserData UserEnvironment WriteUserData PowerMgmt ProtServ ReadDeviceData SurroundingsDD SwEvent TrustedUI WriteDeviceData CommDD DiskAdmin NetworkControl MultimediaDD AllFiles DRM TCB
© Franklin Heath Ltd c b CC BY 3.0 Symbian Signed Capability Groups 15 Jan 2015 9 Group Additional Capabilities Permitted Unverified Verified with Publisher ID Unsigned or Self-signed Developer Certificate per IMEI(s) Developer Certificate per IMEI(s) Express Signed Certified Signed User 6 install-time user prompt Yes Yes Yes Yes Extended (System) 7 Extended (Restricted) 4 Manufacturer 3 OEM approval OEM approval
© Franklin Heath Ltd c b CC BY 3.0 Symbian Signed Costs 15 Jan 2015 10  2004, initially a branding / co-marketing programme  All outsourced costs passed to publisher (could be over $1000 per app)  Most developers were their own publisher  2006, required for “non-user-grantable” platform security capabilities  Standardised testing, lowest price €195  Still required $395 publisher ID annually  2007, reduced costs but increased complexity  Publisher IDs reduced to $200  “Express Signed” $20  subset of “extended” capabilities, self-testing with random auditing afterwards  2010, streamlined test criteria  Express Signed €10, Certified Signed €150  2010, Nokia pays for and performs signing for Ovi Store submissions
© Franklin Heath Ltd c b CC BY 3.0 What Could We Have Done Differently?  Needed more clout and/or money  Google were able to ignore operator demands  Apple were able to phase out DRM  Apple were able to subsidise approval process  CA-issued publisher IDs were probably a mistake  Self-signed works for Google Android  Didn’t help us track down malicious actors  Robustness was pretty good  User experience was pretty good 15 Jan 2015 11
© Franklin Heath Ltd c b CC BY 3.0 Discussion Points  Was Symbian OS platform security a success?  Did developer difficulties with platform security contribute to Symbian’s downfall?  Could those difficulties have been prevented?  Did Symbian’s platform security have anything better than today’s successful platforms? 15 Jan 2015 12

Recommended

Symbian os
Symbian osSymbian os
Symbian osProf.Dr.Hanumanthappa J
 
Symbian
SymbianSymbian
SymbianEzhilarasi Mathivanan
 
Symbian Daniel Rocha Mobile Expert
Symbian Daniel Rocha Mobile ExpertSymbian Daniel Rocha Mobile Expert
Symbian Daniel Rocha Mobile ExpertMobile Expert
 
FIDOAlliance
FIDOAllianceFIDOAlliance
FIDOAllianceSanjeev Verma, PhD
 
Hypori Performance Webinar
Hypori Performance WebinarHypori Performance Webinar
Hypori Performance WebinarGrafic.guru
 
Wellesley High School Career Seminars - The Entrepreneur's Perspective 2015
Wellesley High School Career Seminars - The Entrepreneur's Perspective 2015Wellesley High School Career Seminars - The Entrepreneur's Perspective 2015
Wellesley High School Career Seminars - The Entrepreneur's Perspective 2015Stephen Randall
 
Isn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android MalwareIsn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android MalwareJimmy Shah
 
Psion vs win ce
Psion vs win ce Psion vs win ce
Psion vs win ce Surapol Imi
 

Recommended

Symbian os
Symbian osSymbian os
Symbian osProf.Dr.Hanumanthappa J
 
Symbian
SymbianSymbian
SymbianEzhilarasi Mathivanan
 
Symbian Daniel Rocha Mobile Expert
Symbian Daniel Rocha Mobile ExpertSymbian Daniel Rocha Mobile Expert
Symbian Daniel Rocha Mobile ExpertMobile Expert
 
FIDOAlliance
FIDOAllianceFIDOAlliance
FIDOAllianceSanjeev Verma, PhD
 
Hypori Performance Webinar
Hypori Performance WebinarHypori Performance Webinar
Hypori Performance WebinarGrafic.guru
 
Wellesley High School Career Seminars - The Entrepreneur's Perspective 2015
Wellesley High School Career Seminars - The Entrepreneur's Perspective 2015Wellesley High School Career Seminars - The Entrepreneur's Perspective 2015
Wellesley High School Career Seminars - The Entrepreneur's Perspective 2015Stephen Randall
 
Isn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android MalwareIsn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android MalwareJimmy Shah
 
Psion vs win ce
Psion vs win ce Psion vs win ce
Psion vs win ce Surapol Imi
 
Symbian
SymbianSymbian
SymbianEzhilarasi Mathivanan
 
Symbian os
Symbian osSymbian os
Symbian osParimal Patel
 
Multi channel advantage
Multi channel advantageMulti channel advantage
Multi channel advantageDipesh Mukerji
 
Overview of Mobile Dev Platforms
Overview of Mobile Dev PlatformsOverview of Mobile Dev Platforms
Overview of Mobile Dev PlatformsMike Wolfson
 
Designing and developing a Windows Phone 7 Silverlight Application End-to-End...
Designing and developing a Windows Phone 7 Silverlight Application End-to-End...Designing and developing a Windows Phone 7 Silverlight Application End-to-End...
Designing and developing a Windows Phone 7 Silverlight Application End-to-End...Katrien De Graeve
 
Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...
Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...
Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...Manoj Awasthi
 
Seminar report on Symbian OS
Seminar report on Symbian OSSeminar report on Symbian OS
Seminar report on Symbian OSDarsh Kotecha
 
iOS CI/CD: Continuous Integration and Continuous Delivery Explained
iOS CI/CD: Continuous Integration and Continuous Delivery ExplainediOS CI/CD: Continuous Integration and Continuous Delivery Explained
iOS CI/CD: Continuous Integration and Continuous Delivery ExplainedSemaphore
 
Patch Tuesday for January 2020
Patch Tuesday for January 2020Patch Tuesday for January 2020
Patch Tuesday for January 2020Ivanti
 
Ivanti Patch Tuesday for October 2019
Ivanti Patch Tuesday for October 2019Ivanti Patch Tuesday for October 2019
Ivanti Patch Tuesday for October 2019Ivanti
 
April 2019 Patch Tuesday
April 2019 Patch TuesdayApril 2019 Patch Tuesday
April 2019 Patch TuesdayIvanti
 
Symbian OS
Symbian OSSymbian OS
Symbian OSArun S Kurup
 
Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -Seungjoo Kim
 
Current trends in open source and automotive
Current trends in open source and automotiveCurrent trends in open source and automotive
Current trends in open source and automotiveRyo Jin
 
2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.milNASA Open Government Initiative
 
Android before getting started
Android before getting startedAndroid before getting started
Android before getting startedAhsanul Karim
 
Android App Security Solution
Android App Security SolutionAndroid App Security Solution
Android App Security SolutionJay Li
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com
 
What is ThousandEyes Webinar
What is ThousandEyes WebinarWhat is ThousandEyes Webinar
What is ThousandEyes WebinarThousandEyes
 
WebRTC Market Status & Voice/Video Overview
WebRTC Market Status & Voice/Video OverviewWebRTC Market Status & Voice/Video Overview
WebRTC Market Status & Voice/Video OverviewDean Bubley
 
DC4420 Bluetooth Security
DC4420 Bluetooth SecurityDC4420 Bluetooth Security
DC4420 Bluetooth SecurityCraig Heath
 
What Security Do You Need From Low-Power Wide-Area Networks?
What Security Do You Need From Low-Power Wide-Area Networks?What Security Do You Need From Low-Power Wide-Area Networks?
What Security Do You Need From Low-Power Wide-Area Networks?Craig Heath
 

More Related Content

Similar to Smartphone Platform Security - What can we learn from Symbian?

Multi channel advantage
Multi channel advantageMulti channel advantage
Multi channel advantageDipesh Mukerji
 
Overview of Mobile Dev Platforms
Overview of Mobile Dev PlatformsOverview of Mobile Dev Platforms
Overview of Mobile Dev PlatformsMike Wolfson
 
Designing and developing a Windows Phone 7 Silverlight Application End-to-End...
Designing and developing a Windows Phone 7 Silverlight Application End-to-End...Designing and developing a Windows Phone 7 Silverlight Application End-to-End...
Designing and developing a Windows Phone 7 Silverlight Application End-to-End...Katrien De Graeve
 
Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...
Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...
Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...Manoj Awasthi
 
Seminar report on Symbian OS
Seminar report on Symbian OSSeminar report on Symbian OS
Seminar report on Symbian OSDarsh Kotecha
 
iOS CI/CD: Continuous Integration and Continuous Delivery Explained
iOS CI/CD: Continuous Integration and Continuous Delivery ExplainediOS CI/CD: Continuous Integration and Continuous Delivery Explained
iOS CI/CD: Continuous Integration and Continuous Delivery ExplainedSemaphore
 
Patch Tuesday for January 2020
Patch Tuesday for January 2020Patch Tuesday for January 2020
Patch Tuesday for January 2020Ivanti
 
Ivanti Patch Tuesday for October 2019
Ivanti Patch Tuesday for October 2019Ivanti Patch Tuesday for October 2019
Ivanti Patch Tuesday for October 2019Ivanti
 
April 2019 Patch Tuesday
April 2019 Patch TuesdayApril 2019 Patch Tuesday
April 2019 Patch TuesdayIvanti
 
Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -Seungjoo Kim
 
Current trends in open source and automotive
Current trends in open source and automotiveCurrent trends in open source and automotive
Current trends in open source and automotiveRyo Jin
 
Android before getting started
Android before getting startedAndroid before getting started
Android before getting startedAhsanul Karim
 
Android App Security Solution
Android App Security SolutionAndroid App Security Solution
Android App Security SolutionJay Li
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com
 
What is ThousandEyes Webinar
What is ThousandEyes WebinarWhat is ThousandEyes Webinar
What is ThousandEyes WebinarThousandEyes
 
WebRTC Market Status & Voice/Video Overview
WebRTC Market Status & Voice/Video OverviewWebRTC Market Status & Voice/Video Overview
WebRTC Market Status & Voice/Video OverviewDean Bubley
 

Similar to Smartphone Platform Security - What can we learn from Symbian? (20)

Symbian
SymbianSymbian
Symbian
 
Symbian os
Symbian osSymbian os
Symbian os
 
Multi channel advantage
Multi channel advantageMulti channel advantage
Multi channel advantage
 
Overview of Mobile Dev Platforms
Overview of Mobile Dev PlatformsOverview of Mobile Dev Platforms
Overview of Mobile Dev Platforms
 
Designing and developing a Windows Phone 7 Silverlight Application End-to-End...
Designing and developing a Windows Phone 7 Silverlight Application End-to-End...Designing and developing a Windows Phone 7 Silverlight Application End-to-End...
Designing and developing a Windows Phone 7 Silverlight Application End-to-End...
 
Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...
Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...
Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...
 
Seminar report on Symbian OS
Seminar report on Symbian OSSeminar report on Symbian OS
Seminar report on Symbian OS
 
iOS CI/CD: Continuous Integration and Continuous Delivery Explained
iOS CI/CD: Continuous Integration and Continuous Delivery ExplainediOS CI/CD: Continuous Integration and Continuous Delivery Explained
iOS CI/CD: Continuous Integration and Continuous Delivery Explained
 
Patch Tuesday for January 2020
Patch Tuesday for January 2020Patch Tuesday for January 2020
Patch Tuesday for January 2020
 
Ivanti Patch Tuesday for October 2019
Ivanti Patch Tuesday for October 2019Ivanti Patch Tuesday for October 2019
Ivanti Patch Tuesday for October 2019
 
April 2019 Patch Tuesday
April 2019 Patch TuesdayApril 2019 Patch Tuesday
April 2019 Patch Tuesday
 
Symbian OS
Symbian OSSymbian OS
Symbian OS
 
Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -
 
Current trends in open source and automotive
Current trends in open source and automotiveCurrent trends in open source and automotive
Current trends in open source and automotive
 
2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil
 
Android before getting started
Android before getting startedAndroid before getting started
Android before getting started
 
Android App Security Solution
Android App Security SolutionAndroid App Security Solution
Android App Security Solution
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
 
What is ThousandEyes Webinar
What is ThousandEyes WebinarWhat is ThousandEyes Webinar
What is ThousandEyes Webinar
 
WebRTC Market Status & Voice/Video Overview
WebRTC Market Status & Voice/Video OverviewWebRTC Market Status & Voice/Video Overview
WebRTC Market Status & Voice/Video Overview
 

More from Craig Heath

DC4420 Bluetooth Security
DC4420 Bluetooth SecurityDC4420 Bluetooth Security
DC4420 Bluetooth SecurityCraig Heath
 
What Security Do You Need From Low-Power Wide-Area Networks?
What Security Do You Need From Low-Power Wide-Area Networks?What Security Do You Need From Low-Power Wide-Area Networks?
What Security Do You Need From Low-Power Wide-Area Networks?Craig Heath
 
The Future of Computer Security and Cybercrime
The Future of Computer Security and CybercrimeThe Future of Computer Security and Cybercrime
The Future of Computer Security and CybercrimeCraig Heath
 
Security Lessons from Bletchley Park and Enigma
Security Lessons from Bletchley Park and EnigmaSecurity Lessons from Bletchley Park and Enigma
Security Lessons from Bletchley Park and EnigmaCraig Heath
 
Security Lessons from Bletchley Park and Enigma
Security Lessons from Bletchley Park and EnigmaSecurity Lessons from Bletchley Park and Enigma
Security Lessons from Bletchley Park and EnigmaCraig Heath
 
Fund Raising with an Android Enigma Machine Simulator
Fund Raising with an Android Enigma Machine SimulatorFund Raising with an Android Enigma Machine Simulator
Fund Raising with an Android Enigma Machine SimulatorCraig Heath
 
Mobile Security Sticks and Carrots
Mobile Security Sticks and CarrotsMobile Security Sticks and Carrots
Mobile Security Sticks and CarrotsCraig Heath
 
People Power in Your Pocket
People Power in Your PocketPeople Power in Your Pocket
People Power in Your PocketCraig Heath
 

More from Craig Heath (8)

DC4420 Bluetooth Security
DC4420 Bluetooth SecurityDC4420 Bluetooth Security
DC4420 Bluetooth Security
 
What Security Do You Need From Low-Power Wide-Area Networks?
What Security Do You Need From Low-Power Wide-Area Networks?What Security Do You Need From Low-Power Wide-Area Networks?
What Security Do You Need From Low-Power Wide-Area Networks?
 
The Future of Computer Security and Cybercrime
The Future of Computer Security and CybercrimeThe Future of Computer Security and Cybercrime
The Future of Computer Security and Cybercrime
 
Security Lessons from Bletchley Park and Enigma
Security Lessons from Bletchley Park and EnigmaSecurity Lessons from Bletchley Park and Enigma
Security Lessons from Bletchley Park and Enigma
 
Security Lessons from Bletchley Park and Enigma
Security Lessons from Bletchley Park and EnigmaSecurity Lessons from Bletchley Park and Enigma
Security Lessons from Bletchley Park and Enigma
 
Fund Raising with an Android Enigma Machine Simulator
Fund Raising with an Android Enigma Machine SimulatorFund Raising with an Android Enigma Machine Simulator
Fund Raising with an Android Enigma Machine Simulator
 
Mobile Security Sticks and Carrots
Mobile Security Sticks and CarrotsMobile Security Sticks and Carrots
Mobile Security Sticks and Carrots
 
People Power in Your Pocket
People Power in Your PocketPeople Power in Your Pocket
People Power in Your Pocket
 

Recently uploaded

Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 

Smartphone Platform Security - What can we learn from Symbian?

  • 1. Franklin Heath Ltd Smartphone Platform Security What can we learn from Symbian? Craig Heath Independent Security Consultant 15 Jan 2015
  • 2. © Franklin Heath Ltd c b CC BY 3.0 Discussion Points  Was Symbian OS platform security a success?  Did developer difficulties with platform security contribute to Symbian’s downfall?  Could those difficulties have been prevented?  Did Symbian’s platform security have anything better than today’s successful platforms? 15 Jan 2015 2
  • 3. © Franklin Heath Ltd c b CC BY 3.0 Symbian OS Versions 15 Jan 2015 3 Without Platform Security Year Ver. UI Layer Typical Phone 2001 6.0 Series 80 Nokia 9210 2002 6.1 S60 1st Edition+FP1 Nokia 7650 MOAP(S) Fujitsu F2051 7.0 UIQ 2.0 (& 2.1) Sony Ericsson P800 2003 7.0S S60 2nd Edition+FP1 Nokia 6600 2004 8.0a S60 2nd Edition FP2 Nokia 6630 2005 8.1a S60 2nd Edition FP3 Nokia N90 2007 8.1b MOAP(S) Fujitsu F905i With Platform Security Year Ver. UI Layer Typical Phone 2006 9.1 S60 3rd Edition Nokia 3250 UIQ 3.0 Sony Ericsson P990 2007 9.2 S60 3rd Edition FP1 Nokia N95 UIQ 3.1 & 3.2 Motorola Z8 2008 9.3 S60 3rd Edition FP2 Samsung i8510 9.4 S60 5th Edition Nokia 5800 2009 Nokia N97 2010 ^2 MOAP(S) Fujitsu F-07B ^3 S60 Nokia N8 2011 Anna S60 Nokia E6
  • 4. © Franklin Heath Ltd c b CC BY 3.0 Symbian Platform Security Architecture 15 Jan 2015 4  Run-time controls on system and applications  Based on long-established security principles  e.g. “Trusted Computing Base”, “Least Privilege”  Designed for mobile device use cases  low-level, highly efficient implementation  “Capabilities” determine process privileges  checked by APIs which offer security-relevant services  “Data Caging” protects stored data  protected directories for system and for applications  Secure identifiers (“SIDs”) for applications  verified at install-time
  • 5. © Franklin Heath Ltd c b CC BY 3.0 Symbian OS New Malware Strains and Variants Per Month 15 Jan 2015 5 0 2 4 6 8 10 12 14 16 18 New Variant First phones introduced with platform security
  • 6. © Franklin Heath Ltd c b CC BY 3.0 Developer Difficulties 15 Jan 2015 6  Compatibility break  Used as an excuse for fixing accumulated technical debt  Additional complexity  SIDs, data caging, etc.  “How do I know what capabilities I need?”  Difficulty of debugging  “Why can’t you just turn the security off?”  Cost of approval and signing  ...even though it was steadily reduced over time  Delays caused by approval and signing process  Rejections were common
  • 7. © Franklin Heath Ltd c b CC BY 3.0 Aside: Symbian OS C++  Same language and environment for apps as the OS (and/or UI)  In principle allows third party developers to produce powerful apps  ... but harder to work with in-progress documentation and finicky tools  Non-standard C++ “idioms”  Descriptors, active objects, cleanup stack  ANSI exception handling came too late  Technically good (vastly more power efficient)  ... but steep learning curve  Alternatives were either too little (CDC Java, MIDP Java)  ... or too late (PIPS, Qt) 15 Jan 2015 7
  • 8. © Franklin Heath Ltd c b CC BY 3.0 Symbian Signed Capability Groups 15 Jan 2015 8 User Extended (System) Extended (Restricted) Manufacturer LocalServices Location NetworkServices ReadUserData UserEnvironment WriteUserData PowerMgmt ProtServ ReadDeviceData SurroundingsDD SwEvent TrustedUI WriteDeviceData CommDD DiskAdmin NetworkControl MultimediaDD AllFiles DRM TCB
  • 9. © Franklin Heath Ltd c b CC BY 3.0 Symbian Signed Capability Groups 15 Jan 2015 9 Group Additional Capabilities Permitted Unverified Verified with Publisher ID Unsigned or Self-signed Developer Certificate per IMEI(s) Developer Certificate per IMEI(s) Express Signed Certified Signed User 6 install-time user prompt Yes Yes Yes Yes Extended (System) 7 Extended (Restricted) 4 Manufacturer 3 OEM approval OEM approval
  • 10. © Franklin Heath Ltd c b CC BY 3.0 Symbian Signed Costs 15 Jan 2015 10  2004, initially a branding / co-marketing programme  All outsourced costs passed to publisher (could be over $1000 per app)  Most developers were their own publisher  2006, required for “non-user-grantable” platform security capabilities  Standardised testing, lowest price €195  Still required $395 publisher ID annually  2007, reduced costs but increased complexity  Publisher IDs reduced to $200  “Express Signed” $20  subset of “extended” capabilities, self-testing with random auditing afterwards  2010, streamlined test criteria  Express Signed €10, Certified Signed €150  2010, Nokia pays for and performs signing for Ovi Store submissions
  • 11. © Franklin Heath Ltd c b CC BY 3.0 What Could We Have Done Differently?  Needed more clout and/or money  Google were able to ignore operator demands  Apple were able to phase out DRM  Apple were able to subsidise approval process  CA-issued publisher IDs were probably a mistake  Self-signed works for Google Android  Didn’t help us track down malicious actors  Robustness was pretty good  User experience was pretty good 15 Jan 2015 11
  • 12. © Franklin Heath Ltd c b CC BY 3.0 Discussion Points  Was Symbian OS platform security a success?  Did developer difficulties with platform security contribute to Symbian’s downfall?  Could those difficulties have been prevented?  Did Symbian’s platform security have anything better than today’s successful platforms? 15 Jan 2015 12