More Related Content Similar to Mobile Security Sticks and Carrots (20) Mobile Security Sticks and Carrots1. Mobile Application Security and Mobile Security Applications: Sticks and Carrots 30 September 2011 Craig HeathIndependent Mobile Security Consultant 2. Topics Who the [heck] are you? Why can’t you turn this [stupid] security off? Comparing security frameworks on the main platforms What’s in it for me? Security apps that vendors and operators aren’t doing Notarised call recording Premium charge warning Trustworthy viewport 30 September 2011 2 © Franklin Heath Ltd 3. My Background Working in systems software security since 1989 UNIX and Enterprise Java Focus on mobile platforms since 2002 Responsible for Symbian’s platform security strategy Lead author of the book “Symbian OS Platform Security” Chief Security Technologist at the Symbian Foundation Now providing independent security consultancy Set up Franklin Heath Ltd in November 2010 30 September 2011 3 © Franklin Heath Ltd 4. Why We Need Application Security Bad guys are deploying malicious phone apps to defraud people for commercial gain Stealing virtual goods and credits Premium rate messaging fraud Phishing (e.g. banking MTANs) People need and expect their phones to be more trustworthy than their PCs have been Emergency calls Personal data (e.g. location, contacts, photos) 30 September 2011 4 © Franklin Heath Ltd 6. Mobile Device Security and Privacy Does Matter Organised crime is monetising mobile vulnerabilities ZitMo in Europe, trojans in China and Russia Phone software platforms are becoming more uniform Easier to target a bigger “addressable market” Android market share increasing, iPhone steady But don’t forget “legacy” Symbian devices (still 100s of millions) Widespread privacy breaches are sensitising people e.g. Sony PlayStation Network WSJ coverage of bad practice in mobile applications 30 September 2011 6 © Franklin Heath Ltd 7. Comparing Application Testing Apple and Google are two extremes of approach iTunes app store inspects every application and can reject for arbitrary reasons Good for consumers, bad for developers Android Market “common carrier” approach: pass though everything submitted, remove apps only if complaints made Good for developers, bad for consumers Symbian Signed did standardised third-party testing Middle ground, manages costs, but provides little defence against deliberate malware Note that Nokia app store adds additional manual QA inspection 30 September 2011 7 © Franklin Heath Ltd 8. Comparing Application Signing Developer signing requirements vary Android: “self-signed”, free to create a certificate iPhone: Apple developer registration includes certificate cost Symbian Signed required a third-party, $200, certificate Signing party for “production” apps also varies iTunes, Amazon uses only an app store signature Android Market uses only the developer signature Symbian Signed uses only the certifier signature 30 September 2011 8 © Franklin Heath Ltd 9. Comparing Copy Protection iTunes app store uses Apple proprietary FairPlay DRM Android Market doesn’t provide automatic copy protection, but Google provides libraries for developers to invoke a licence server Nokia app store has lightweight “forward lock” copy protection 30 September 2011 9 © Franklin Heath Ltd 10. Opportunity: Put the User in Control Ways to benefit end user, not the vendor or operator Correcting “information asymmetries” to benefit consumers More usable control over personal information sharing Tools for the paranoid (or security professional ) Putting users in control of their own data and their own charges is the right thing to do But usability is key Don’t cause security prompt blindness Don’t put the responsibility on them as a cop-out 10 30 September 2011 © Franklin Heath Ltd 11. Idea 1: Notarised Call Recording “Reciprocal Transparency” – who watches the watchers? When you call a utility company, do you hear “this call may be recorded”? it’s being recorded for their benefit, not yours Have you ever been told they will do something, but when you call back: “I’m sorry, I have no record of that”? probably they do, but you can’t prove it: information asymmetry Why isn’t this built in to my phone? Hypothesis: difficult to do legally in all jurisdictions? 30 September 2011 11 © Franklin Heath Ltd 12. Idea 1: Notarised Call RecordingWhat can be done? Even a simple recording would help, with the call log but unlikely to be good enough evidence to use in court Could combine this with a “digital notary” take a hash of the recording (prevents future tampering) have the hash signed by a trusted third party with a time stamp proves that the recording was made at or before that time Make sure it’s legal in the UK Play a recorded announcement at the start? (= reciprocal) 30 September 2011 12 © Franklin Heath Ltd 13. Idea 2: Premium Charge Warning Premium rate voice and SMS service providers in the UK are required by law to advise consumers of their charges in advance but they haven’t always done this is the most obvious way malware isn’t going to respect this In the UK, you can discover the charges with a free SMS (76787) also available as a web-based online number checker but I doubt many people use this regularly It would be much more useful if your phone did this for you operators may not like this (could discourage use of legitimate services) 30 September 2011 13 © Franklin Heath Ltd 14. Idea 2: Premium Charge WarningWhat can be done? Filter to check numbers your phone is calling and texting, and warning before the call is placed if it’s premium rate “allow this application to spend 50p?” would be far more usable than “allow this application to make phone calls and send text messages?” Could be extended to enforce rules, e.g. allow this application to spend up to £5 allow this application to send 2 texts per day But, data isn’t easily available, and the hooks aren’t easily accessible on all phone platforms a “proof of concept” app could allow pressure to be brought 30 September 2011 14 © Franklin Heath Ltd 15. Idea 2: Premium Charge WarningProof-of-concept Possibilities Screen-scraping of the PhonePayPlus number checker http://www.phonepayplus.org.uk/Number-Checker/Check-a-Number-Results.aspx?ncn=number Trapping the call/SMS before it’s sent On Android, ACTION_NEW_OUTGOING_CALL broadcast action allows voice calls to be intercepted No equivalent for SMS? Charge information for number ranges is available commercially Could it be a marketing opportunity for the holders to make it available for free in some way, limited to this purpose? Could it be made available as part of government Open Data? 30 September 2011 15 © Franklin Heath Ltd 16. Idea 3: Trustworthy Viewport Typical desktop web commerce model is for the user to enter a password to confirm the transaction OK if the user confirms they are giving it to the payment provider and not to a “phishing” site Mobile browsers lack the visual security cues No room on a small screen for the window “chrome” Apps can draw on the entire display area Desktop model of entering password to authorize the transaction is dangerous on mobile 30 September 2011 16 © Franklin Heath Ltd 17. Examples of Insecure Mobile Experience for In-App Payments 30 September 2011 17 © Franklin Heath Ltd 18. Idea 3: Trustworthy ViewportWhat can be done? Have a “helper” app provide the UI for password entry Show the user something that a malicious app can’t e.g. Yahoo! “sign-in seal”, 3D Secure “Personal Assurance Message” Couple that with a clear indication of the origin of the view contents c.f. Internet Explorer highlighting the 2nd level domain, Firefox green background for EV server certificates, etc. Wrapper for Android WebView? 30 September 2011 18 © Franklin Heath Ltd Editor's Notes One of the two apps was on the official Android Market (the other on an “independent app store”)Dozens of cases of trojaned Android apps with estimated 100,000s downloads opening up remote C&C. Nokia store will now sign on your behalf (and issue UIDs and DevCerts) without requiring a Publisher ID for Express Signed capabilities. “Information asymmetry” is an economic term, referring to transactions in which one party has more, or better, information than the other.BTW, what’s not an opportunity is anti-virus software Commercial ($10) Android app “Total Recall”. Commercial ($10) Android app “Total Recall”. PhonePayPlus consultation doesn’t address deliberate fraud. Telcordia Mobile ID:http://www.telcordia.com/services/interconnection/mobile-id.html There is no law (or technology) that prevents malicious applications from drawing pictures of padlocks.