SlideShare ist ein Scribd-Unternehmen logo

Assessing Mobile Device Platforms (E-Government, M-Government context)

Peter Teufl
Peter Teufl

http://link.springer.com/chapter/10.1007%2F978-3-642-40160-2_11

Technologie
1 von 26
Downloaden Sie, um offline zu lesen
IAIK Assessing Mobile Device Platforms EGOVIS 2013 Thomas Zefferer, Sandra Kreuzhuber, Peter Teufl
IAIK Background A-SIT: Security consulting for public insititutions IAIK: IT security research Combination: Awesome :-) Thomas Zefferer Sandra Kreuzhuber Peter Teufl A-SIT
IAIK Mobile Device Security Sensitive data Location, documents, credentials etc. Problems Threats: theft, malicious software etc. Heterogeneous platforms iOS, Android, Windows Phone, Windows Store, Blackberry, ... Complexity: securing the systems developing secure applications
IAIK Deployment Scenarios E-Gov/M-Gov context Use Cases Internal usage (public/private sector): Mobile-Device-Management (MDM) solution Bring-Your-Own-Device (BYOD) Citizen Citizen applications (within M-Gov context)
IAIK Internal Use - MDM Security policy modeled via MDM system Mobile device locked down according to policy/requirements PLUS Most secure deployment scenario MINUS Not possibile for citizen applications Internal use: pressure by BYOD concept
IAIK Internal Use - BYOD Device belongs to the user No MDM deployment Deployment of BYOD solutions on the user’s device (container applications, application wrapping) PLUS User has full control over the device MINUS Security! Legal and technical issues
IAIK Citizen - MGov Applications Applications developed for the citizen Probably handling of critical data (personal data, etc.) Similar considerations as for BYOD (however even fewer restrictions) Considerations are also valid for non M-Gov apps Banking apps, password safes, theft protection apps etc.
IAIK Assets, Threats Assets Data: credentials, application data, location, emails, SMS, contacts, usage patterns ... ... ... Threats Theft Malware
IAIK Platform Security Features Data Protection Access protection Encryption Secure storage of credentials MDM Malware Resistance Application APIs, sources Permission system Rooting, jailbreaking? OS security Updates, fragmentation Security Analysis?
IAIK Access protection, encryption, secure storage of credentials How does the encryption system work? Is encryption based on a hardware element? Is the user’s PIN involved in the key derivation function? What is the scope of the encryption system? What does the developer need to know? How are backups encrypted? Access Protection
IAIK Example: iOS/Android Encryption Lock- Screen Type Length Chars Number of passcodes Brute-Force Days Numerical 4 10 10000 0.0 6 10 1000000 0.9 8 10 100000000 92.6 10 10 10000000000 9,259.3 Alphanum 4 36 1679616 1.6 10/26 letters 6 36 2176782336 2,015.5 7 36 78364164096 72,559.4 8 36 2.82111E+12 2,612,138.8 9 36 1.0156E+14 94,036,996.9 10 36 3.65616E+15 3,385,331,888.9 Alphanum 4 62 14776336 13.7 5 62 916132832 848.3 10/52 letters 6 62 56800235584 52,592.8 7 62 3.52161E+12 3,260,754.3 8 62 2.1834E+14 202,166,764.4 9 62 1.35371E+16 12,534,339,394.7 Complex 4 107 131079601 121.4 5 107 14025517307 12,986.6 6 107 1.50073E+12 1,389,565.1 7 107 1.60578E+14 148,683,470.0 8 107 1.71819E+16 15,909,131,294.7 iOS on device Brute-Force Days 1 instance Brute-Force Days (1000 instances) Cost $ On-Demand Instances 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 1.3 2.6 0.0 133.3 0.0 0.0 0.0 0.6 0.0 29.0 20.7 0.0 1,044.9 746.3 0.7 37,614.8 26,867.7 26.9 1,354,132.8 967,237.7 967.2 48,748,779.2 0.0 0.0 0.2 0.2 0.0 12.2 15.0 0.0 757.3 931.6 0.9 46,954.9 57,761.9 57.8 2,911,201.4 3,581,239.8 3,581.2 180,494,487.3 0.0 0.0 1.7 3.7 0.0 187.0 397.0 0.4 20,009.7 42,481.0 42.5 2,141,042.0 4,545,466.1 4,545.5 229,091,490.6 Android Amazon GPUAndroid Amazon GPU GPU Price
IAIK Mobile Device Management Mobile Device Management (MDM) Which rules? How is the system integrated into the mobile device OS? Fragmentation?
IAIK Applications Application sources? Defined markets? Alternative sources (email, etc.)? Application APIs? Security, system integration etc. Security: What does the developer need to know? Permission System? Usability, which permissions?
IAIK Core Security OS security low level malware protection (buffer overflows, sandboxes, operating sytem architecture, programming languages) Updates, fragmentation Updates? Fragmentation of OS versions? Fragmentations of functionality (due to extensions of the OS)?
IAIK Platform Security - Managed Managed devices Which criteria? MDM, MAM: functionality! Applications (when not restricted) Data Protection (mainly encryption) MDM Security Config MAM App App App App Smartphone
IAIK BYOD Challenging in terms of security (and also legal considerations)! Device is not managed! Activation of OS security features depends on the user Solutions: Container applications Application wrappers OS integrated solutions (Blackberry Balance)
IAIK MDM, BYOD MDM Security Config MAM App App App App Smartphone Container App Management Security Config Contai ner App App App Smartphone Application Wrapper Management Security Config Smartphone App App App App MDM Security Config MAM Business Area App App Security Config Private Area Smartphone App App MDM Container App App Wrappers Blackberry Balance
IAIK BYOD Container Applications Provide mail, contacts browser, calendar secure file storage in a specific application Application cannot assume a secure environment: Needs to implement its own security features encryption, secure communication, root/jailbreak checks highly platform specific (need to know the security features, APIs etc.)
IAIK Example Container applications (also valid for mGov applications with sensitive data) Key Derivation (from password to encryption key) is a key requirement for secure encryption systems Key derivation principles Salt (no pre-calculated password tables Long derivation time (e.g. 80ms per passcode, on iOS) Need to have cryptographic knowhow to get it right Mistakes: simple brute-force attacks... Data encryption key Passcode Key derivation Derived key Salt
IAIK Example Brute-Force Days 0.0 0.9 92.6 9,259.3 1.6 2,015.5 72,559.4 2,612,138.8 94,036,996.9 3,385,331,888.9 13.7 848.3 52,592.8 3,260,754.3 202,166,764.4 12,534,339,394.7 121.4 12,986.6 1,389,565.1 148,683,470.0 15,909,131,294.7 iOS on device Lock-Screen Type Length Chars Number of passcodes Brute-Force DaysBrute-Force Days Cost $ GPU Numerical 4 10 10000 0.0 0.0 0.0 6 10 1000000 0.0 0.0 0.0 8 10 100000000 0.0 0.0 0.0 10 10 10000000000 0.2 0.0 0.0 Alphanum 4 36 1679616 0.0 0.0 0.0 10/26 letters 6 36 2176782336 0.0 0.0 0.0 7 36 78364164096 1.3 0.0 0.2 8 36 2.82111E+12 46.6 0.0 8.3 9 36 1.0156E+14 1,679.2 1.7 299.0 10 36 3.65616E+15 60,452.4 60.5 10,763.7 Alphanum 4 62 14776336 0.0 0.0 0.0 5 62 916132832 0.0 0.0 0.0 10/52 letters 6 62 56800235584 0.9 0.0 0.2 7 62 3.52161E+12 58.2 0.1 10.4 8 62 2.1834E+14 3,610.1 3.6 642.8 9 62 1.35371E+16 223,827.5 223.8 39,852.9 Complex 4 107 131079601 0.0 0.0 0.0 5 107 14025517307 0.2 0.0 0.0 6 107 1.50073E+12 24.8 0.0 4.4 7 107 1.60578E+14 2,655.1 2.7 472.7 8 107 1.71819E+16 284,091.6 284.1 50,583.1
IAIK Citizen Application Citizen applications for handling criticial data (similar to banking apps, password safes) same considerations as for container applications arbitrary environment (even less restricted as in BYOD), devices, versions threat of malware (arbitrary application sources, malware)
IAIK Best Practice Managed iOS: encryption, MDM, application security/features Android: highly depends on the platform! Stock Android: Lacking important MDM features! Windows Phone/Windows Store: Lacking MDM features, VPN (8.1 update...), otherwise comparable to iOS Blackberry: Balance Framework! Good architecture.
IAIK Best Practice BYOD Blackberry: Balance framework: Huge plus (integrated BYOD solution) iOS, Windows Phone/Store: Huge advantages over Android Android: Alternative sources, deeply integrated system APIs, malware situation
IAIK Best Practice Citizen App No platform choice, market and users decide Developing apps which handle sensitive data Know the platforms, their security features, weaknesses Development by a security aware team: cryptography, IT security, detailed knowledge about the platforms Keep data on the device limited iOS, Windows Phone, Blackberry easier to handle. Android ???
IAIK References, Contact peter.teufl@iaik.tugraz.at thomas.zefferer@iaik.tugraz.at Refs: https://sites.google.com/site/acnws2012/ http://www.iaik.tugraz.at/content/about_iaik/people/teufl_peter/ contact me if you need the PDFs, slides
IAIK Thx, and enjoy Praha!

Empfohlen

Black Hat 2015 Arsenal: Noriben Malware Analysis
Black Hat 2015 Arsenal: Noriben Malware AnalysisBlack Hat 2015 Arsenal: Noriben Malware Analysis
Black Hat 2015 Arsenal: Noriben Malware AnalysisBrian Baskin
 
Semantic Pattern Transformation
Semantic Pattern TransformationSemantic Pattern Transformation
Semantic Pattern TransformationPeter Teufl
 
iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and EncryptionUrvashi Kataria
 
Mobile Device Encryption Systems
Mobile Device Encryption SystemsMobile Device Encryption Systems
Mobile Device Encryption SystemsPeter Teufl
 
iOS secure app development
iOS secure app developmentiOS secure app development
iOS secure app developmentDusan Klinec
 
Rahmenbedingungen mobile security
Rahmenbedingungen mobile securityRahmenbedingungen mobile security
Rahmenbedingungen mobile securityPeter Teufl
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application SecurityEgor Tolstoy
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Subhransu Behera
 

Empfohlen

Black Hat 2015 Arsenal: Noriben Malware Analysis
Black Hat 2015 Arsenal: Noriben Malware AnalysisBlack Hat 2015 Arsenal: Noriben Malware Analysis
Black Hat 2015 Arsenal: Noriben Malware AnalysisBrian Baskin
 
Semantic Pattern Transformation
Semantic Pattern TransformationSemantic Pattern Transformation
Semantic Pattern TransformationPeter Teufl
 
iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and EncryptionUrvashi Kataria
 
Mobile Device Encryption Systems
Mobile Device Encryption SystemsMobile Device Encryption Systems
Mobile Device Encryption SystemsPeter Teufl
 
iOS secure app development
iOS secure app developmentiOS secure app development
iOS secure app developmentDusan Klinec
 
Rahmenbedingungen mobile security
Rahmenbedingungen mobile securityRahmenbedingungen mobile security
Rahmenbedingungen mobile securityPeter Teufl
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application SecurityEgor Tolstoy
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Subhransu Behera
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 

Weitere ähnliche Inhalte

Kürzlich hochgeladen

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Kürzlich hochgeladen (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Empfohlen

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 

Empfohlen (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

Assessing Mobile Device Platforms (E-Government, M-Government context)

  • 1. IAIK Assessing Mobile Device Platforms EGOVIS 2013 Thomas Zefferer, Sandra Kreuzhuber, Peter Teufl
  • 2. IAIK Background A-SIT: Security consulting for public insititutions IAIK: IT security research Combination: Awesome :-) Thomas Zefferer Sandra Kreuzhuber Peter Teufl A-SIT
  • 3. IAIK Mobile Device Security Sensitive data Location, documents, credentials etc. Problems Threats: theft, malicious software etc. Heterogeneous platforms iOS, Android, Windows Phone, Windows Store, Blackberry, ... Complexity: securing the systems developing secure applications
  • 4. IAIK Deployment Scenarios E-Gov/M-Gov context Use Cases Internal usage (public/private sector): Mobile-Device-Management (MDM) solution Bring-Your-Own-Device (BYOD) Citizen Citizen applications (within M-Gov context)
  • 5. IAIK Internal Use - MDM Security policy modeled via MDM system Mobile device locked down according to policy/requirements PLUS Most secure deployment scenario MINUS Not possibile for citizen applications Internal use: pressure by BYOD concept
  • 6. IAIK Internal Use - BYOD Device belongs to the user No MDM deployment Deployment of BYOD solutions on the user’s device (container applications, application wrapping) PLUS User has full control over the device MINUS Security! Legal and technical issues
  • 7. IAIK Citizen - MGov Applications Applications developed for the citizen Probably handling of critical data (personal data, etc.) Similar considerations as for BYOD (however even fewer restrictions) Considerations are also valid for non M-Gov apps Banking apps, password safes, theft protection apps etc.
  • 8. IAIK Assets, Threats Assets Data: credentials, application data, location, emails, SMS, contacts, usage patterns ... ... ... Threats Theft Malware
  • 9. IAIK Platform Security Features Data Protection Access protection Encryption Secure storage of credentials MDM Malware Resistance Application APIs, sources Permission system Rooting, jailbreaking? OS security Updates, fragmentation Security Analysis?
  • 10. IAIK Access protection, encryption, secure storage of credentials How does the encryption system work? Is encryption based on a hardware element? Is the user’s PIN involved in the key derivation function? What is the scope of the encryption system? What does the developer need to know? How are backups encrypted? Access Protection
  • 11. IAIK Example: iOS/Android Encryption Lock- Screen Type Length Chars Number of passcodes Brute-Force Days Numerical 4 10 10000 0.0 6 10 1000000 0.9 8 10 100000000 92.6 10 10 10000000000 9,259.3 Alphanum 4 36 1679616 1.6 10/26 letters 6 36 2176782336 2,015.5 7 36 78364164096 72,559.4 8 36 2.82111E+12 2,612,138.8 9 36 1.0156E+14 94,036,996.9 10 36 3.65616E+15 3,385,331,888.9 Alphanum 4 62 14776336 13.7 5 62 916132832 848.3 10/52 letters 6 62 56800235584 52,592.8 7 62 3.52161E+12 3,260,754.3 8 62 2.1834E+14 202,166,764.4 9 62 1.35371E+16 12,534,339,394.7 Complex 4 107 131079601 121.4 5 107 14025517307 12,986.6 6 107 1.50073E+12 1,389,565.1 7 107 1.60578E+14 148,683,470.0 8 107 1.71819E+16 15,909,131,294.7 iOS on device Brute-Force Days 1 instance Brute-Force Days (1000 instances) Cost $ On-Demand Instances 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 1.3 2.6 0.0 133.3 0.0 0.0 0.0 0.6 0.0 29.0 20.7 0.0 1,044.9 746.3 0.7 37,614.8 26,867.7 26.9 1,354,132.8 967,237.7 967.2 48,748,779.2 0.0 0.0 0.2 0.2 0.0 12.2 15.0 0.0 757.3 931.6 0.9 46,954.9 57,761.9 57.8 2,911,201.4 3,581,239.8 3,581.2 180,494,487.3 0.0 0.0 1.7 3.7 0.0 187.0 397.0 0.4 20,009.7 42,481.0 42.5 2,141,042.0 4,545,466.1 4,545.5 229,091,490.6 Android Amazon GPUAndroid Amazon GPU GPU Price
  • 12. IAIK Mobile Device Management Mobile Device Management (MDM) Which rules? How is the system integrated into the mobile device OS? Fragmentation?
  • 13. IAIK Applications Application sources? Defined markets? Alternative sources (email, etc.)? Application APIs? Security, system integration etc. Security: What does the developer need to know? Permission System? Usability, which permissions?
  • 14. IAIK Core Security OS security low level malware protection (buffer overflows, sandboxes, operating sytem architecture, programming languages) Updates, fragmentation Updates? Fragmentation of OS versions? Fragmentations of functionality (due to extensions of the OS)?
  • 15. IAIK Platform Security - Managed Managed devices Which criteria? MDM, MAM: functionality! Applications (when not restricted) Data Protection (mainly encryption) MDM Security Config MAM App App App App Smartphone
  • 16. IAIK BYOD Challenging in terms of security (and also legal considerations)! Device is not managed! Activation of OS security features depends on the user Solutions: Container applications Application wrappers OS integrated solutions (Blackberry Balance)
  • 17. IAIK MDM, BYOD MDM Security Config MAM App App App App Smartphone Container App Management Security Config Contai ner App App App Smartphone Application Wrapper Management Security Config Smartphone App App App App MDM Security Config MAM Business Area App App Security Config Private Area Smartphone App App MDM Container App App Wrappers Blackberry Balance
  • 18. IAIK BYOD Container Applications Provide mail, contacts browser, calendar secure file storage in a specific application Application cannot assume a secure environment: Needs to implement its own security features encryption, secure communication, root/jailbreak checks highly platform specific (need to know the security features, APIs etc.)
  • 19. IAIK Example Container applications (also valid for mGov applications with sensitive data) Key Derivation (from password to encryption key) is a key requirement for secure encryption systems Key derivation principles Salt (no pre-calculated password tables Long derivation time (e.g. 80ms per passcode, on iOS) Need to have cryptographic knowhow to get it right Mistakes: simple brute-force attacks... Data encryption key Passcode Key derivation Derived key Salt
  • 20. IAIK Example Brute-Force Days 0.0 0.9 92.6 9,259.3 1.6 2,015.5 72,559.4 2,612,138.8 94,036,996.9 3,385,331,888.9 13.7 848.3 52,592.8 3,260,754.3 202,166,764.4 12,534,339,394.7 121.4 12,986.6 1,389,565.1 148,683,470.0 15,909,131,294.7 iOS on device Lock-Screen Type Length Chars Number of passcodes Brute-Force DaysBrute-Force Days Cost $ GPU Numerical 4 10 10000 0.0 0.0 0.0 6 10 1000000 0.0 0.0 0.0 8 10 100000000 0.0 0.0 0.0 10 10 10000000000 0.2 0.0 0.0 Alphanum 4 36 1679616 0.0 0.0 0.0 10/26 letters 6 36 2176782336 0.0 0.0 0.0 7 36 78364164096 1.3 0.0 0.2 8 36 2.82111E+12 46.6 0.0 8.3 9 36 1.0156E+14 1,679.2 1.7 299.0 10 36 3.65616E+15 60,452.4 60.5 10,763.7 Alphanum 4 62 14776336 0.0 0.0 0.0 5 62 916132832 0.0 0.0 0.0 10/52 letters 6 62 56800235584 0.9 0.0 0.2 7 62 3.52161E+12 58.2 0.1 10.4 8 62 2.1834E+14 3,610.1 3.6 642.8 9 62 1.35371E+16 223,827.5 223.8 39,852.9 Complex 4 107 131079601 0.0 0.0 0.0 5 107 14025517307 0.2 0.0 0.0 6 107 1.50073E+12 24.8 0.0 4.4 7 107 1.60578E+14 2,655.1 2.7 472.7 8 107 1.71819E+16 284,091.6 284.1 50,583.1
  • 21. IAIK Citizen Application Citizen applications for handling criticial data (similar to banking apps, password safes) same considerations as for container applications arbitrary environment (even less restricted as in BYOD), devices, versions threat of malware (arbitrary application sources, malware)
  • 22. IAIK Best Practice Managed iOS: encryption, MDM, application security/features Android: highly depends on the platform! Stock Android: Lacking important MDM features! Windows Phone/Windows Store: Lacking MDM features, VPN (8.1 update...), otherwise comparable to iOS Blackberry: Balance Framework! Good architecture.
  • 23. IAIK Best Practice BYOD Blackberry: Balance framework: Huge plus (integrated BYOD solution) iOS, Windows Phone/Store: Huge advantages over Android Android: Alternative sources, deeply integrated system APIs, malware situation
  • 24. IAIK Best Practice Citizen App No platform choice, market and users decide Developing apps which handle sensitive data Know the platforms, their security features, weaknesses Development by a security aware team: cryptography, IT security, detailed knowledge about the platforms Keep data on the device limited iOS, Windows Phone, Blackberry easier to handle. Android ???