Prezentacja pokaże historyczny rozwój platform mobilnych na przykładzie naszego doświadczenia z użycia technologii mobilnych w bankowości elektronicznej/mobilnej oraz przeanalizuje i porówna bezpieczeństwo platform mobilnych.
3. in 2004 we start a company
(Wheel Systems)
after 12 years... mission not yet fully accomplished,
but really soon now
in 2005 we deploy CERB (corporate
version) for the first time
our mission:
eliminate static passwords!
our product: authentication system
(CERB) which uses mobile application
as one-time password generator
it is 2004, so the name for the app is
obvious: JavaToken
in 2007 we deploy CERB
Banking in Eurobank
in 2013 we launch Mobter
4. JavaToken
Can run on (almost) any Java phone
Implements AES, SHA256
Fits easily into 30kB limit
6. no SSL/TLS (no secure transport)
no AppStore, no Google Play
no applications signing
no secure updates
internet communication only during installation
no PIN to unlock your phone, no TouchID, etc.
not enough power to harden PIN
no full disk encryption
30kB application size limit
8. .jar contains a secret encrypted using activation code
application built-in secret
dedicated .jar for every customer
activation code provided in bank outpost
unpredictable URL send via WAP-Push or SMS (no access for bank’s employees)
start identifier
challenge compression (9 digits)
no local PIN verification (a playing card hint, 6.25%, 625)
11. application isolation
much more secure installation process
mobile OSes designed for single user
separation between applications
autonomous platform (problem when compromised)
native apps allow for better security than web sites (eg. certificate pinning)
14. much harder and longer to update for security fixes
Android customized by hardware vendors and mobile operators
much slower adoption for new security features
various security features not available for all hardware vendors