SlideShare a Scribd company logo

Smartphone Platform Security - What can we learn from Symbian?

C
Craig Heath

This document discusses Symbian OS platform security and analyzes whether its security model contributed to Symbian's decline. It provides details on Symbian's security architecture, the introduction of platform security features over time, malware trends, developer difficulties with security, and the costs of signing applications. While Symbian's security was technically robust, developer difficulties with complexity, compatibility issues, and signing costs may have contributed to Symbian's loss of market share to other platforms.

Technology
1 of 12
Download to read offline
Franklin Heath Ltd Smartphone Platform Security What can we learn from Symbian? Craig Heath Independent Security Consultant 15 Jan 2015
© Franklin Heath Ltd c b CC BY 3.0 Discussion Points  Was Symbian OS platform security a success?  Did developer difficulties with platform security contribute to Symbian’s downfall?  Could those difficulties have been prevented?  Did Symbian’s platform security have anything better than today’s successful platforms? 15 Jan 2015 2
© Franklin Heath Ltd c b CC BY 3.0 Symbian OS Versions 15 Jan 2015 3 Without Platform Security Year Ver. UI Layer Typical Phone 2001 6.0 Series 80 Nokia 9210 2002 6.1 S60 1st Edition+FP1 Nokia 7650 MOAP(S) Fujitsu F2051 7.0 UIQ 2.0 (& 2.1) Sony Ericsson P800 2003 7.0S S60 2nd Edition+FP1 Nokia 6600 2004 8.0a S60 2nd Edition FP2 Nokia 6630 2005 8.1a S60 2nd Edition FP3 Nokia N90 2007 8.1b MOAP(S) Fujitsu F905i With Platform Security Year Ver. UI Layer Typical Phone 2006 9.1 S60 3rd Edition Nokia 3250 UIQ 3.0 Sony Ericsson P990 2007 9.2 S60 3rd Edition FP1 Nokia N95 UIQ 3.1 & 3.2 Motorola Z8 2008 9.3 S60 3rd Edition FP2 Samsung i8510 9.4 S60 5th Edition Nokia 5800 2009 Nokia N97 2010 ^2 MOAP(S) Fujitsu F-07B ^3 S60 Nokia N8 2011 Anna S60 Nokia E6
© Franklin Heath Ltd c b CC BY 3.0 Symbian Platform Security Architecture 15 Jan 2015 4  Run-time controls on system and applications  Based on long-established security principles  e.g. “Trusted Computing Base”, “Least Privilege”  Designed for mobile device use cases  low-level, highly efficient implementation  “Capabilities” determine process privileges  checked by APIs which offer security-relevant services  “Data Caging” protects stored data  protected directories for system and for applications  Secure identifiers (“SIDs”) for applications  verified at install-time
© Franklin Heath Ltd c b CC BY 3.0 Symbian OS New Malware Strains and Variants Per Month 15 Jan 2015 5 0 2 4 6 8 10 12 14 16 18 New Variant First phones introduced with platform security
© Franklin Heath Ltd c b CC BY 3.0 Developer Difficulties 15 Jan 2015 6  Compatibility break  Used as an excuse for fixing accumulated technical debt  Additional complexity  SIDs, data caging, etc.  “How do I know what capabilities I need?”  Difficulty of debugging  “Why can’t you just turn the security off?”  Cost of approval and signing  ...even though it was steadily reduced over time  Delays caused by approval and signing process  Rejections were common
© Franklin Heath Ltd c b CC BY 3.0 Aside: Symbian OS C++  Same language and environment for apps as the OS (and/or UI)  In principle allows third party developers to produce powerful apps  ... but harder to work with in-progress documentation and finicky tools  Non-standard C++ “idioms”  Descriptors, active objects, cleanup stack  ANSI exception handling came too late  Technically good (vastly more power efficient)  ... but steep learning curve  Alternatives were either too little (CDC Java, MIDP Java)  ... or too late (PIPS, Qt) 15 Jan 2015 7
© Franklin Heath Ltd c b CC BY 3.0 Symbian Signed Capability Groups 15 Jan 2015 8 User Extended (System) Extended (Restricted) Manufacturer LocalServices Location NetworkServices ReadUserData UserEnvironment WriteUserData PowerMgmt ProtServ ReadDeviceData SurroundingsDD SwEvent TrustedUI WriteDeviceData CommDD DiskAdmin NetworkControl MultimediaDD AllFiles DRM TCB
© Franklin Heath Ltd c b CC BY 3.0 Symbian Signed Capability Groups 15 Jan 2015 9 Group Additional Capabilities Permitted Unverified Verified with Publisher ID Unsigned or Self-signed Developer Certificate per IMEI(s) Developer Certificate per IMEI(s) Express Signed Certified Signed User 6 install-time user prompt Yes Yes Yes Yes Extended (System) 7 Extended (Restricted) 4 Manufacturer 3 OEM approval OEM approval
© Franklin Heath Ltd c b CC BY 3.0 Symbian Signed Costs 15 Jan 2015 10  2004, initially a branding / co-marketing programme  All outsourced costs passed to publisher (could be over $1000 per app)  Most developers were their own publisher  2006, required for “non-user-grantable” platform security capabilities  Standardised testing, lowest price €195  Still required $395 publisher ID annually  2007, reduced costs but increased complexity  Publisher IDs reduced to $200  “Express Signed” $20  subset of “extended” capabilities, self-testing with random auditing afterwards  2010, streamlined test criteria  Express Signed €10, Certified Signed €150  2010, Nokia pays for and performs signing for Ovi Store submissions
© Franklin Heath Ltd c b CC BY 3.0 What Could We Have Done Differently?  Needed more clout and/or money  Google were able to ignore operator demands  Apple were able to phase out DRM  Apple were able to subsidise approval process  CA-issued publisher IDs were probably a mistake  Self-signed works for Google Android  Didn’t help us track down malicious actors  Robustness was pretty good  User experience was pretty good 15 Jan 2015 11
© Franklin Heath Ltd c b CC BY 3.0 Discussion Points  Was Symbian OS platform security a success?  Did developer difficulties with platform security contribute to Symbian’s downfall?  Could those difficulties have been prevented?  Did Symbian’s platform security have anything better than today’s successful platforms? 15 Jan 2015 12

Recommended

Symbian os
Symbian osSymbian os
Symbian osProf.Dr.Hanumanthappa J
 
Symbian
SymbianSymbian
Symbian
Ezhilarasi Mathivanan
 
Symbian Daniel Rocha Mobile Expert
Symbian Daniel Rocha Mobile ExpertSymbian Daniel Rocha Mobile Expert
Symbian Daniel Rocha Mobile Expert
Mobile Expert
 
FIDOAlliance
FIDOAllianceFIDOAlliance
FIDOAllianceSanjeev Verma, PhD
 
Hypori Performance Webinar
Hypori Performance WebinarHypori Performance Webinar
Hypori Performance Webinar
Grafic.guru
 
Wellesley High School Career Seminars - The Entrepreneur's Perspective 2015
Wellesley High School Career Seminars - The Entrepreneur's Perspective 2015Wellesley High School Career Seminars - The Entrepreneur's Perspective 2015
Wellesley High School Career Seminars - The Entrepreneur's Perspective 2015
Stephen Randall
 
Isn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android MalwareIsn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android Malware
Jimmy Shah
 
Psion vs win ce
Psion vs win ce Psion vs win ce
Psion vs win ce
Surapol Imi
 

Recommended

Symbian os
Symbian osSymbian os
Symbian osProf.Dr.Hanumanthappa J
 
Symbian
SymbianSymbian
Symbian
Ezhilarasi Mathivanan
 
Symbian Daniel Rocha Mobile Expert
Symbian Daniel Rocha Mobile ExpertSymbian Daniel Rocha Mobile Expert
Symbian Daniel Rocha Mobile Expert
Mobile Expert
 
FIDOAlliance
FIDOAllianceFIDOAlliance
FIDOAllianceSanjeev Verma, PhD
 
Hypori Performance Webinar
Hypori Performance WebinarHypori Performance Webinar
Hypori Performance Webinar
Grafic.guru
 
Wellesley High School Career Seminars - The Entrepreneur's Perspective 2015
Wellesley High School Career Seminars - The Entrepreneur's Perspective 2015Wellesley High School Career Seminars - The Entrepreneur's Perspective 2015
Wellesley High School Career Seminars - The Entrepreneur's Perspective 2015
Stephen Randall
 
Isn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android MalwareIsn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android Malware
Jimmy Shah
 
Psion vs win ce
Psion vs win ce Psion vs win ce
Psion vs win ce
Surapol Imi
 
Symbian
SymbianSymbian
Symbian
Ezhilarasi Mathivanan
 
Symbian os
Symbian osSymbian os
Symbian os
Parimal Patel
 
Multi channel advantage
Multi channel advantageMulti channel advantage
Multi channel advantageDipesh Mukerji
 
Overview of Mobile Dev Platforms
Overview of Mobile Dev PlatformsOverview of Mobile Dev Platforms
Overview of Mobile Dev Platforms
Mike Wolfson
 
Designing and developing a Windows Phone 7 Silverlight Application End-to-End...
Designing and developing a Windows Phone 7 Silverlight Application End-to-End...Designing and developing a Windows Phone 7 Silverlight Application End-to-End...
Designing and developing a Windows Phone 7 Silverlight Application End-to-End...
Katrien De Graeve
 
Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...
Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...
Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...
Manoj Awasthi
 
Seminar report on Symbian OS
Seminar report on Symbian OSSeminar report on Symbian OS
Seminar report on Symbian OS
Darsh Kotecha
 
iOS CI/CD: Continuous Integration and Continuous Delivery Explained
iOS CI/CD: Continuous Integration and Continuous Delivery ExplainediOS CI/CD: Continuous Integration and Continuous Delivery Explained
iOS CI/CD: Continuous Integration and Continuous Delivery Explained
Semaphore
 
Patch Tuesday for January 2020
Patch Tuesday for January 2020Patch Tuesday for January 2020
Patch Tuesday for January 2020
Ivanti
 
Ivanti Patch Tuesday for October 2019
Ivanti Patch Tuesday for October 2019Ivanti Patch Tuesday for October 2019
Ivanti Patch Tuesday for October 2019
Ivanti
 
April 2019 Patch Tuesday
April 2019 Patch TuesdayApril 2019 Patch Tuesday
April 2019 Patch Tuesday
Ivanti
 
Symbian OS
Symbian OSSymbian OS
Symbian OS
Arun S Kurup
 
Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -
Seungjoo Kim
 
Current trends in open source and automotive
Current trends in open source and automotiveCurrent trends in open source and automotive
Current trends in open source and automotive
Ryo Jin
 
2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.milNASA Open Government Initiative
 
Android before getting started
Android before getting startedAndroid before getting started
Android before getting startedAhsanul Karim
 
Android App Security Solution
Android App Security SolutionAndroid App Security Solution
Android App Security Solution
Jay Li
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
DevOps.com
 
What is ThousandEyes Webinar
What is ThousandEyes WebinarWhat is ThousandEyes Webinar
What is ThousandEyes Webinar
ThousandEyes
 
WebRTC Market Status & Voice/Video Overview
WebRTC Market Status & Voice/Video OverviewWebRTC Market Status & Voice/Video Overview
WebRTC Market Status & Voice/Video Overview
Dean Bubley
 
DC4420 Bluetooth Security
DC4420 Bluetooth SecurityDC4420 Bluetooth Security
DC4420 Bluetooth Security
Craig Heath
 
What Security Do You Need From Low-Power Wide-Area Networks?
What Security Do You Need From Low-Power Wide-Area Networks?What Security Do You Need From Low-Power Wide-Area Networks?
What Security Do You Need From Low-Power Wide-Area Networks?
Craig Heath
 

More Related Content

Similar to Smartphone Platform Security - What can we learn from Symbian?

Symbian
SymbianSymbian
Symbian
Ezhilarasi Mathivanan
 
Symbian os
Symbian osSymbian os
Symbian os
Parimal Patel
 
Multi channel advantage
Multi channel advantageMulti channel advantage
Multi channel advantageDipesh Mukerji
 
Overview of Mobile Dev Platforms
Overview of Mobile Dev PlatformsOverview of Mobile Dev Platforms
Overview of Mobile Dev Platforms
Mike Wolfson
 
Designing and developing a Windows Phone 7 Silverlight Application End-to-End...
Designing and developing a Windows Phone 7 Silverlight Application End-to-End...Designing and developing a Windows Phone 7 Silverlight Application End-to-End...
Designing and developing a Windows Phone 7 Silverlight Application End-to-End...
Katrien De Graeve
 
Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...
Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...
Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...
Manoj Awasthi
 
Seminar report on Symbian OS
Seminar report on Symbian OSSeminar report on Symbian OS
Seminar report on Symbian OS
Darsh Kotecha
 
iOS CI/CD: Continuous Integration and Continuous Delivery Explained
iOS CI/CD: Continuous Integration and Continuous Delivery ExplainediOS CI/CD: Continuous Integration and Continuous Delivery Explained
iOS CI/CD: Continuous Integration and Continuous Delivery Explained
Semaphore
 
Patch Tuesday for January 2020
Patch Tuesday for January 2020Patch Tuesday for January 2020
Patch Tuesday for January 2020
Ivanti
 
Ivanti Patch Tuesday for October 2019
Ivanti Patch Tuesday for October 2019Ivanti Patch Tuesday for October 2019
Ivanti Patch Tuesday for October 2019
Ivanti
 
April 2019 Patch Tuesday
April 2019 Patch TuesdayApril 2019 Patch Tuesday
April 2019 Patch Tuesday
Ivanti
 
Symbian OS
Symbian OSSymbian OS
Symbian OS
Arun S Kurup
 
Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -
Seungjoo Kim
 
Current trends in open source and automotive
Current trends in open source and automotiveCurrent trends in open source and automotive
Current trends in open source and automotive
Ryo Jin
 
Android before getting started
Android before getting startedAndroid before getting started
Android before getting startedAhsanul Karim
 
Android App Security Solution
Android App Security SolutionAndroid App Security Solution
Android App Security Solution
Jay Li
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
DevOps.com
 
What is ThousandEyes Webinar
What is ThousandEyes WebinarWhat is ThousandEyes Webinar
What is ThousandEyes Webinar
ThousandEyes
 
WebRTC Market Status & Voice/Video Overview
WebRTC Market Status & Voice/Video OverviewWebRTC Market Status & Voice/Video Overview
WebRTC Market Status & Voice/Video Overview
Dean Bubley
 

Similar to Smartphone Platform Security - What can we learn from Symbian? (20)

Symbian
SymbianSymbian
Symbian
 
Symbian os
Symbian osSymbian os
Symbian os
 
Multi channel advantage
Multi channel advantageMulti channel advantage
Multi channel advantage
 
Overview of Mobile Dev Platforms
Overview of Mobile Dev PlatformsOverview of Mobile Dev Platforms
Overview of Mobile Dev Platforms
 
Designing and developing a Windows Phone 7 Silverlight Application End-to-End...
Designing and developing a Windows Phone 7 Silverlight Application End-to-End...Designing and developing a Windows Phone 7 Silverlight Application End-to-End...
Designing and developing a Windows Phone 7 Silverlight Application End-to-End...
 
Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...
Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...
Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...
 
Seminar report on Symbian OS
Seminar report on Symbian OSSeminar report on Symbian OS
Seminar report on Symbian OS
 
iOS CI/CD: Continuous Integration and Continuous Delivery Explained
iOS CI/CD: Continuous Integration and Continuous Delivery ExplainediOS CI/CD: Continuous Integration and Continuous Delivery Explained
iOS CI/CD: Continuous Integration and Continuous Delivery Explained
 
Patch Tuesday for January 2020
Patch Tuesday for January 2020Patch Tuesday for January 2020
Patch Tuesday for January 2020
 
Ivanti Patch Tuesday for October 2019
Ivanti Patch Tuesday for October 2019Ivanti Patch Tuesday for October 2019
Ivanti Patch Tuesday for October 2019
 
April 2019 Patch Tuesday
April 2019 Patch TuesdayApril 2019 Patch Tuesday
April 2019 Patch Tuesday
 
Symbian OS
Symbian OSSymbian OS
Symbian OS
 
Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -
 
Current trends in open source and automotive
Current trends in open source and automotiveCurrent trends in open source and automotive
Current trends in open source and automotive
 
2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil
 
Android before getting started
Android before getting startedAndroid before getting started
Android before getting started
 
Android App Security Solution
Android App Security SolutionAndroid App Security Solution
Android App Security Solution
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
 
What is ThousandEyes Webinar
What is ThousandEyes WebinarWhat is ThousandEyes Webinar
What is ThousandEyes Webinar
 
WebRTC Market Status & Voice/Video Overview
WebRTC Market Status & Voice/Video OverviewWebRTC Market Status & Voice/Video Overview
WebRTC Market Status & Voice/Video Overview
 

More from Craig Heath

DC4420 Bluetooth Security
DC4420 Bluetooth SecurityDC4420 Bluetooth Security
DC4420 Bluetooth Security
Craig Heath
 
What Security Do You Need From Low-Power Wide-Area Networks?
What Security Do You Need From Low-Power Wide-Area Networks?What Security Do You Need From Low-Power Wide-Area Networks?
What Security Do You Need From Low-Power Wide-Area Networks?
Craig Heath
 
The Future of Computer Security and Cybercrime
The Future of Computer Security and CybercrimeThe Future of Computer Security and Cybercrime
The Future of Computer Security and Cybercrime
Craig Heath
 
Security Lessons from Bletchley Park and Enigma
Security Lessons from Bletchley Park and EnigmaSecurity Lessons from Bletchley Park and Enigma
Security Lessons from Bletchley Park and Enigma
Craig Heath
 
Security Lessons from Bletchley Park and Enigma
Security Lessons from Bletchley Park and EnigmaSecurity Lessons from Bletchley Park and Enigma
Security Lessons from Bletchley Park and Enigma
Craig Heath
 
Fund Raising with an Android Enigma Machine Simulator
Fund Raising with an Android Enigma Machine SimulatorFund Raising with an Android Enigma Machine Simulator
Fund Raising with an Android Enigma Machine Simulator
Craig Heath
 
Mobile Security Sticks and Carrots
Mobile Security Sticks and CarrotsMobile Security Sticks and Carrots
Mobile Security Sticks and Carrots
Craig Heath
 
People Power in Your Pocket
People Power in Your PocketPeople Power in Your Pocket
People Power in Your Pocket
Craig Heath
 

More from Craig Heath (8)

DC4420 Bluetooth Security
DC4420 Bluetooth SecurityDC4420 Bluetooth Security
DC4420 Bluetooth Security
 
What Security Do You Need From Low-Power Wide-Area Networks?
What Security Do You Need From Low-Power Wide-Area Networks?What Security Do You Need From Low-Power Wide-Area Networks?
What Security Do You Need From Low-Power Wide-Area Networks?
 
The Future of Computer Security and Cybercrime
The Future of Computer Security and CybercrimeThe Future of Computer Security and Cybercrime
The Future of Computer Security and Cybercrime
 
Security Lessons from Bletchley Park and Enigma
Security Lessons from Bletchley Park and EnigmaSecurity Lessons from Bletchley Park and Enigma
Security Lessons from Bletchley Park and Enigma
 
Security Lessons from Bletchley Park and Enigma
Security Lessons from Bletchley Park and EnigmaSecurity Lessons from Bletchley Park and Enigma
Security Lessons from Bletchley Park and Enigma
 
Fund Raising with an Android Enigma Machine Simulator
Fund Raising with an Android Enigma Machine SimulatorFund Raising with an Android Enigma Machine Simulator
Fund Raising with an Android Enigma Machine Simulator
 
Mobile Security Sticks and Carrots
Mobile Security Sticks and CarrotsMobile Security Sticks and Carrots
Mobile Security Sticks and Carrots
 
People Power in Your Pocket
People Power in Your PocketPeople Power in Your Pocket
People Power in Your Pocket
 

Recently uploaded

Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 

Recently uploaded (20)

Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 

Smartphone Platform Security - What can we learn from Symbian?

  • 1. Franklin Heath Ltd Smartphone Platform Security What can we learn from Symbian? Craig Heath Independent Security Consultant 15 Jan 2015
  • 2. © Franklin Heath Ltd c b CC BY 3.0 Discussion Points  Was Symbian OS platform security a success?  Did developer difficulties with platform security contribute to Symbian’s downfall?  Could those difficulties have been prevented?  Did Symbian’s platform security have anything better than today’s successful platforms? 15 Jan 2015 2
  • 3. © Franklin Heath Ltd c b CC BY 3.0 Symbian OS Versions 15 Jan 2015 3 Without Platform Security Year Ver. UI Layer Typical Phone 2001 6.0 Series 80 Nokia 9210 2002 6.1 S60 1st Edition+FP1 Nokia 7650 MOAP(S) Fujitsu F2051 7.0 UIQ 2.0 (& 2.1) Sony Ericsson P800 2003 7.0S S60 2nd Edition+FP1 Nokia 6600 2004 8.0a S60 2nd Edition FP2 Nokia 6630 2005 8.1a S60 2nd Edition FP3 Nokia N90 2007 8.1b MOAP(S) Fujitsu F905i With Platform Security Year Ver. UI Layer Typical Phone 2006 9.1 S60 3rd Edition Nokia 3250 UIQ 3.0 Sony Ericsson P990 2007 9.2 S60 3rd Edition FP1 Nokia N95 UIQ 3.1 & 3.2 Motorola Z8 2008 9.3 S60 3rd Edition FP2 Samsung i8510 9.4 S60 5th Edition Nokia 5800 2009 Nokia N97 2010 ^2 MOAP(S) Fujitsu F-07B ^3 S60 Nokia N8 2011 Anna S60 Nokia E6
  • 4. © Franklin Heath Ltd c b CC BY 3.0 Symbian Platform Security Architecture 15 Jan 2015 4  Run-time controls on system and applications  Based on long-established security principles  e.g. “Trusted Computing Base”, “Least Privilege”  Designed for mobile device use cases  low-level, highly efficient implementation  “Capabilities” determine process privileges  checked by APIs which offer security-relevant services  “Data Caging” protects stored data  protected directories for system and for applications  Secure identifiers (“SIDs”) for applications  verified at install-time
  • 5. © Franklin Heath Ltd c b CC BY 3.0 Symbian OS New Malware Strains and Variants Per Month 15 Jan 2015 5 0 2 4 6 8 10 12 14 16 18 New Variant First phones introduced with platform security
  • 6. © Franklin Heath Ltd c b CC BY 3.0 Developer Difficulties 15 Jan 2015 6  Compatibility break  Used as an excuse for fixing accumulated technical debt  Additional complexity  SIDs, data caging, etc.  “How do I know what capabilities I need?”  Difficulty of debugging  “Why can’t you just turn the security off?”  Cost of approval and signing  ...even though it was steadily reduced over time  Delays caused by approval and signing process  Rejections were common
  • 7. © Franklin Heath Ltd c b CC BY 3.0 Aside: Symbian OS C++  Same language and environment for apps as the OS (and/or UI)  In principle allows third party developers to produce powerful apps  ... but harder to work with in-progress documentation and finicky tools  Non-standard C++ “idioms”  Descriptors, active objects, cleanup stack  ANSI exception handling came too late  Technically good (vastly more power efficient)  ... but steep learning curve  Alternatives were either too little (CDC Java, MIDP Java)  ... or too late (PIPS, Qt) 15 Jan 2015 7
  • 8. © Franklin Heath Ltd c b CC BY 3.0 Symbian Signed Capability Groups 15 Jan 2015 8 User Extended (System) Extended (Restricted) Manufacturer LocalServices Location NetworkServices ReadUserData UserEnvironment WriteUserData PowerMgmt ProtServ ReadDeviceData SurroundingsDD SwEvent TrustedUI WriteDeviceData CommDD DiskAdmin NetworkControl MultimediaDD AllFiles DRM TCB
  • 9. © Franklin Heath Ltd c b CC BY 3.0 Symbian Signed Capability Groups 15 Jan 2015 9 Group Additional Capabilities Permitted Unverified Verified with Publisher ID Unsigned or Self-signed Developer Certificate per IMEI(s) Developer Certificate per IMEI(s) Express Signed Certified Signed User 6 install-time user prompt Yes Yes Yes Yes Extended (System) 7 Extended (Restricted) 4 Manufacturer 3 OEM approval OEM approval
  • 10. © Franklin Heath Ltd c b CC BY 3.0 Symbian Signed Costs 15 Jan 2015 10  2004, initially a branding / co-marketing programme  All outsourced costs passed to publisher (could be over $1000 per app)  Most developers were their own publisher  2006, required for “non-user-grantable” platform security capabilities  Standardised testing, lowest price €195  Still required $395 publisher ID annually  2007, reduced costs but increased complexity  Publisher IDs reduced to $200  “Express Signed” $20  subset of “extended” capabilities, self-testing with random auditing afterwards  2010, streamlined test criteria  Express Signed €10, Certified Signed €150  2010, Nokia pays for and performs signing for Ovi Store submissions
  • 11. © Franklin Heath Ltd c b CC BY 3.0 What Could We Have Done Differently?  Needed more clout and/or money  Google were able to ignore operator demands  Apple were able to phase out DRM  Apple were able to subsidise approval process  CA-issued publisher IDs were probably a mistake  Self-signed works for Google Android  Didn’t help us track down malicious actors  Robustness was pretty good  User experience was pretty good 15 Jan 2015 11
  • 12. © Franklin Heath Ltd c b CC BY 3.0 Discussion Points  Was Symbian OS platform security a success?  Did developer difficulties with platform security contribute to Symbian’s downfall?  Could those difficulties have been prevented?  Did Symbian’s platform security have anything better than today’s successful platforms? 15 Jan 2015 12