Downloaded 142 times
Uploaded byMasabi
Challenges Building Secure Mobile Applications
This document discusses the challenges of building secure mobile applications. It covers why security is important for mobile, how to secure applications in an insecure mobile environment, and case studies of mobile security implementations. Some key points discussed include using HTTPS for end-to-end security, securing the key exchange process, ensuring strong entropy for keys, implementing message integrity checks, and supporting a wide range of mobile devices and networks.
More Related Content
![[KGC 2010] 게임과 보안, 암호 알고리즘과 프로토콜](https://cdn.slidesharecdn.com/ss_thumbnails/kgc2010-2010091324-f-sladeshare-3-130927212905-phpapp02-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Challenges Building Secure Mobile Applications
![Chapter8 nov 29_05[one.]](https://cdn.slidesharecdn.com/ss_thumbnails/chapter8nov2905one-110822150623-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
Editor's Notes
- #2 <number>
- #3 <number>
- #4 Masabi have been producing downloadable mobile applications for over 7 years, and today Masabi secure mobile applications process millions of dollars worth of transactions every year<number>
- #5 <number>
- #6 <number>
- #7 <number>
- #8 <number>
- #9 <number>
- #10 <number>
- #11 <number>
- #12 <number>
- #13 <number>
- #14 http://mobiforge.com/developing/story/setting-http-headers-advise-transcoding-proxies<number>
- #15 <number>
- #16 If you can’t trust the networks, or are using phones that don’t have HTTPS, then you have to take matters into your own hands and put in end-to-end encryption from your app to your own server to ensure that you always know the level of security between server and customer<number>
- #17 <number>
- #18 17
- #19 17
- #20 19
- #21 20
- #22 20
- #23 20
- #24 20
- #25 24
- #26 24
- #27 Testing to ensure pRNG’s are implemented correctly is to ensure that pRNG output never becomes cyclic or tends towards a stable value.26
- #28 26
- #29 26
- #30 26
- #31 26
- #32 26
- #33 26
- #34 We’re using on-screen barcodes to show the ticket values for reading by automatic gates, or checking by the train guards who carry hand-held scanners.The ticket code can be transferred to the NFC element on compatible phones (like this nokia 6131) but this handset is the only mainstream GSM handset with NFC and we’ve not heard of others in the pipeline.Even when NFC services become mainstream, you will still need a secure interface to purchase entitlements, before they get transferred to the NFC element. 26
- #35 26
- #36 26
- #37 26
- #38 26
- #39 26
- #40 Simple – simply put in your car, your credit card, and how long you want to park.Brand new user can sign up and pay in just one secure SMS (or 0.02pence worth of data)Extend your parking without returning to the vehicle.26
- #41 Credit Card details entered just once into the application.Users have said “easier to use the mobile purchase than web purchase” because of quick, optimised workflow.26
- #42 26
- #43 26
- #44 26
- #45 26
- #46 26
- #47 Come see me after for live demos, or to chat about building secure mobile applications form-commerce,Banking,Ticketing,Messaging,Read our blog for more details on security.blog.masabi.com26
- #48 26
- #49 Our applications are built on three core principals –Make the application usable and relevant to the end user, and make the default use cases quick and easy on the mobile. (I’ll show you some sides of that later)Then, PORTABILITY to all popular handsets, including the older handsets that many developers avoid, to ensure the largest possible user-base for your service.For Mobile commerce – security, on all phones, to modern public standards.26
- #50 Standard GSM services are not secure to Financial Services or Payment Card Industry regulations. You shouldn’t use SMS or WAP to send payment instructions, bank passwords or credit card details because too many individuals can gain access to them in transit.(True end-to-end https is only available on the latest handsets – slow and not usable from Java or SMS.)\"The contents of SMS messages are known to the network operator's systems and personnel. Therefore, SMS is not an appropriate technology for secure communications. Most users do not realise how easy it may be to intercept“ Nick Jones, Gartner Research 2002 http://www.gartner.com/DisplayDocument?doc_cd=111720“It would not be enough for a financial institution to provide mobile banking services relying on de-facto GSM protocol security”Pakistan State Bank, Guidelines for Branchless Banking 2007http://www.sbp.org.pk/bprd/2007/Guidelines-Branchless-Banking.pdfWe built EncryptME to the latest standards for new secure web services, and it is still the world’s only US Government Certified mobile java security library.At 3kb, it can provide security on the oldest java handsets, including the black and white Nokia 6310i (show legendary retro business phone)Most importantly, it allows SMS data to be encrypted too!Servers can continue to use standard cryptography from Sun or Microsoft etc – they don’t need to use custom or proprietary security libraries.26
- #51 Repeat purchases just use steps 3,4,5, and the user only has to enter CVV number.26