Mobile Application Security and Mobile Security Applications: Sticks and Carrots<br />30 September 2011<br />Craig HeathIndependent Mobile Security Consultant<br />
Topics<br />Who the [heck] are you?<br />Why can’t you turn this [stupid] security off?<br />Comparing security frameworks on the main platforms<br />What’s in it for me?<br />Security apps that vendors and operators aren’t doing<br />Notarised call recording<br />Premium charge warning<br />Trustworthy viewport<br />30 September 2011<br />2<br />© Franklin Heath Ltd<br />
My Background<br />Working in systems software security since 1989<br />UNIX and Enterprise Java<br />Focus on mobile platforms since 2002<br />Responsible for Symbian’s platform security strategy<br />Lead author of the book “Symbian OS Platform Security”<br />Chief Security Technologist at the Symbian Foundation<br />Now providing independent security consultancy<br />Set up Franklin Heath Ltd in November 2010<br />30 September 2011<br />3<br />© Franklin Heath Ltd<br />
Why We Need Application Security<br />Bad guys are deploying malicious phone apps to defraud people for commercial gain<br />Stealing virtual goods and credits<br />Premium rate messaging fraud<br />Phishing (e.g. banking MTANs)<br />People need and expect their phones to be more trustworthy than their PCs have been<br />Emergency calls<br />Personal data (e.g. location, contacts, photos)<br />30 September 2011<br />4<br />© Franklin Heath Ltd<br />
Fraudulent Apps are Real<br />30 September 2011<br />5<br />© Franklin Heath Ltd<br />
Mobile Device Security and Privacy Does Matter<br />Organised crime is monetising mobile vulnerabilities<br />ZitMo in Europe, trojans in China and Russia<br />Phone software platforms are becoming more uniform<br />Easier to target a bigger “addressable market”<br />Android market share increasing, iPhone steady<br />But don’t forget “legacy” Symbian devices (still 100s of millions)<br />Widespread privacy breaches are sensitising people<br />e.g. Sony PlayStation Network<br />WSJ coverage of bad practice in mobile applications<br />30 September 2011<br />6<br />© Franklin Heath Ltd<br />
Comparing Application Testing<br />Apple and Google are two extremes of approach<br />iTunes app store inspects every application and can reject for arbitrary reasons<br />Good for consumers, bad for developers<br />Android Market “common carrier” approach: pass though everything submitted, remove apps only if complaints made<br />Good for developers, bad for consumers<br />Symbian Signed did standardised third-party testing<br />Middle ground, manages costs, but provides little defence against deliberate malware<br />Note that Nokia app store adds additional manual QA inspection<br />30 September 2011<br />7<br />© Franklin Heath Ltd<br />
Comparing Application Signing<br />Developer signing requirements vary<br />Android: “self-signed”, free to create a certificate<br />iPhone: Apple developer registration includes certificate cost<br />Symbian Signed required a third-party, $200, certificate<br />Signing party for “production” apps also varies<br />iTunes, Amazon uses only an app store signature<br />Android Market uses only the developer signature<br />Symbian Signed uses only the certifier signature<br />30 September 2011<br />8<br />© Franklin Heath Ltd<br />
Comparing Copy Protection<br />iTunes app store uses Apple proprietary FairPlay DRM<br />Android Market doesn’t provide automatic copy protection, but Google provides libraries for developers to invoke a licence server<br />Nokia app store has lightweight “forward lock” copy protection<br />30 September 2011<br />9<br />© Franklin Heath Ltd<br />
Opportunity: Put the User in Control<br />Ways to benefit end user, not the vendor or operator<br />Correcting “information asymmetries” to benefit consumers<br />More usable control over personal information sharing<br />Tools for the paranoid (or security professional )<br />Putting users in control of their own data and their own charges is the right thing to do<br />But usability is key<br />Don’t cause security prompt blindness<br />Don’t put the responsibility on them as a cop-out<br />10<br />30 September 2011<br />© Franklin Heath Ltd<br />
Idea 1: Notarised Call Recording<br />“Reciprocal Transparency” – who watches the watchers?<br />When you call a utility company, do you hear “this call may be recorded”?<br />it’s being recorded for their benefit, not yours<br />Have you ever been told they will do something, but when you call back: “I’m sorry, I have no record of that”?<br />probably they do, but you can’t prove it: information asymmetry<br />Why isn’t this built in to my phone?<br />Hypothesis: difficult to do legally in all jurisdictions?<br />30 September 2011<br />11<br />© Franklin Heath Ltd<br />
Idea 1: Notarised Call RecordingWhat can be done?<br />Even a simple recording would help, with the call log<br />but unlikely to be good enough evidence to use in court<br />Could combine this with a “digital notary”<br />take a hash of the recording (prevents future tampering)<br />have the hash signed by a trusted third party with a time stamp<br />proves that the recording was made at or before that time<br />Make sure it’s legal in the UK<br />Play a recorded announcement at the start? (= reciprocal)<br />30 September 2011<br />12<br />© Franklin Heath Ltd<br />
Idea 2: Premium Charge Warning<br />Premium rate voice and SMS service providers in the UK are required by law to advise consumers of their charges in advance<br />but they haven’t always done this is the most obvious way<br />malware isn’t going to respect this<br />In the UK, you can discover the charges with a free SMS (76787)<br />also available as a web-based online number checker<br />but I doubt many people use this regularly<br />It would be much more useful if your phone did this for you<br />operators may not like this (could discourage use of legitimate services)<br />30 September 2011<br />13<br />© Franklin Heath Ltd<br />
Idea 2: Premium Charge WarningWhat can be done?<br />Filter to check numbers your phone is calling and texting, and warning before the call is placed if it’s premium rate<br />“allow this application to spend 50p?” would be far more usable than “allow this application to make phone calls and send text messages?”<br />Could be extended to enforce rules, e.g.<br />allow this application to spend up to £5<br />allow this application to send 2 texts per day<br />But, data isn’t easily available, and the hooks aren’t easily accessible on all phone platforms<br />a “proof of concept” app could allow pressure to be brought<br />30 September 2011<br />14<br />© Franklin Heath Ltd<br />
Idea 2: Premium Charge WarningProof-of-concept Possibilities<br />Screen-scraping of the PhonePayPlus number checker<br />http://www.phonepayplus.org.uk/Number-Checker/Check-a-Number-Results.aspx?ncn=number<br />Trapping the call/SMS before it’s sent<br />On Android, ACTION_NEW_OUTGOING_CALL broadcast action allows voice calls to be intercepted<br />No equivalent for SMS?<br />Charge information for number ranges is available commercially<br />Could it be a marketing opportunity for the holders to make it available for free in some way, limited to this purpose?<br />Could it be made available as part of government Open Data?<br />30 September 2011<br />15<br />© Franklin Heath Ltd<br />
Idea 3: Trustworthy Viewport<br />Typical desktop web commerce model is for the user to enter a password to confirm the transaction<br />OK if the user confirms they are giving it to the payment provider and not to a “phishing” site<br />Mobile browsers lack the visual security cues<br />No room on a small screen for the window “chrome”<br />Apps can draw on the entire display area<br />Desktop model of entering password to authorize the transaction is dangerous on mobile<br />30 September 2011<br />16<br />© Franklin Heath Ltd<br />
Examples of Insecure Mobile Experience for In-App Payments<br />30 September 2011<br />17<br />© Franklin Heath Ltd<br />
Idea 3: Trustworthy ViewportWhat can be done?<br />Have a “helper” app provide the UI for password entry<br />Show the user something that a malicious app can’t<br />e.g. Yahoo! “sign-in seal”, 3D Secure “Personal Assurance Message”<br />Couple that with a clear indication of the origin of the view contents<br />c.f. Internet Explorer highlighting the 2nd level domain, Firefox green background for EV server certificates, etc.<br />Wrapper for Android WebView?<br />30 September 2011<br />18<br />© Franklin Heath Ltd<br />
Open Discussion…<br />30 September 2011<br />19<br />© Franklin Heath Ltd<br />
One of the two apps was on the official Android Market (the other on an “independent app store”)Dozens of cases of trojaned Android apps with estimated 100,000s downloads opening up remote C&C.
Nokia store will now sign on your behalf (and issue UIDs and DevCerts) without requiring a Publisher ID for Express Signed capabilities.
“Information asymmetry” is an economic term, referring to transactions in which one party has more, or better, information than the other.BTW, what’s not an opportunity is anti-virus software
Commercial ($10) Android app “Total Recall”.
Commercial ($10) Android app “Total Recall”.
PhonePayPlus consultation doesn’t address deliberate fraud.
Telcordia Mobile ID:http://www.telcordia.com/services/interconnection/mobile-id.html
There is no law (or technology) that prevents malicious applications from drawing pictures of padlocks.