© omtp all rights reserved slide 1 - etsi · telephony api •calls to initiate and handle...


Surfing with the Sharks

Securing Mobile Widgets

5th ETSI Security Workshop

20th January 2010

Sophia Antipolis, France

David Rogers, Director of External Relations, OMTP


OMTP – Who are we?

Advisor

members

Operator Members

Sponsor members


OMTP Non-BONDI Activity

• Updating common charger publication with to reflect enhanced

power requirementsGreen Chargers

• Defragmentation of Bluetooth profiles Bluetooth

• Defining standard camera propertiesCamera

• Defining mechanisms for in store wired updates for devicesWired Updates

• Standardising common device errors for simplified reportingCommon Errors

• Defining enhancements to existing visual voicemail specificationsVisual voicemail client

• Addressing the end to end problem of ensuring multiple applications

can maintain always on connectivity, (network and battery)

Network and battery

optimisation


What are Widgets?

• Small self-contained web applications:

• CSS, HTML, JavaScript, XML - zipped

• Perfect for mobile – easy to program and distribute

• Device independent, cross-platform

• Opportunity for Apps everywhere: (overcoming fragmentation)

=


Widgets, widgets or

widgets?

DesktopYahoo! Konfabulator

Apple Dashboard

Microsoft Gadgets

Klipfolio

Plasma

Screenlets

Yahoo! Blueprint

BluePulse

Mywidz

Plusmo

Webwag

Widsets

WidX

Zumobi

Java

MobileAccess Netfront

Blueprint

Google Gears

Opera

Qualcomm Plaza

Symbian

WidX

AJAX

WebiGoogle

NetVibes

Pageflakes

My Yahoo!

Windows Live

Some examples:

c.15 others


Making widgets useful

– device APIs• Connects the web world with the real world

• Enables richer and more useful applications

• Much easier to develop on than proprietary platforms

• Mostly mobile but not the future is not limited to that:

Televisions & Set-top boxes

Vehicles

White Goods Other Consumer Electronics

Security &

Privacy?

Streaming Media

Temperature sensors

Timers

Location

Messaging

Gallery

Weight

Speed

Diagnostics

Fares / charging

Gallery


What are the Dangers?

http://i393.photobucket.com/albums/pp12/mario12_023/surfer1.jpg

• We are enabling cross-platform, cross-device, easy to develop, highly

functional applications:

• Will this meet all the criteria for really successful malware on

mobile?

• Are we opening Pandora’s box?


Example 1 – Premium Rate Abuse

• A widget that seems benign but is actually spewing out SMSs to

premium rate numbers without the user’s knowledge

• Could be modified from an original safe widget.

http://www.dailydigest.voolstra.de/wp-content/uploads/2008/03/shark-vs-surfer.jpg

• Examples seen in the past, this

model could be used for ‘diallers’

too.

• Recent warnings on this:


Example 2 – Privacy Breach

• Location, contacts, gallery…

• Silently uploads data to a site from

a game?

• Clear goal for attackers already:

• Numerous high-profile examples in the

past

• Paris Hilton, Miley Cyrus, Lindsay Lohan

• Schoolkids getting a teacher’s private

pictures / videos

• News of the World, voicemail hacking

http://img.photobucket.com/albums/v251/joserouse/Surfing/Yikes.jpg


Example 3 – Integrity Breach

• A widget that replaces the

voicemail number with a

premium rate number instead?

• Planting evidence – photos,

files etc?

• Pure theft of data for various

reasons

http://images.paraorkut.com/img/funnypics/images/s/surfers_with_shark-12742.png


Example 4 – Phishing

• Widgets contain web content –

easy to duplicate and

masquerade as something

legitimate… perhaps a bank?

http://www.f-secure.com/weblog/archives/00001852.html


Making it safe to surf

• On the face of it, widgets look potentially very dangerous

• We need to protect the user

“If I say it’s safe to surf this beach,

then it’s safe to surf this beach!”


Signing

• Digital Signing has worked quite well for native

applications on mobile so far

• Some hiccups

• Signing schemes and App Stores have to be very careful what they

sign and allow

• Not a Panacea, but part of a holistic security solution:

• Provides Integrity and Identity

• Not a guarantee of authenticity

• Process needs to be simple for developers

• W3C Widget Digital Signatures spec.

• Combined with effective revocation or ‘kill-switches’ this

can work well


Policy

• Governs and regulates access to physical features

• Remotely configurable and managed

• Can be updated – intelligent and adaptable

• Most devices have a binary go / no-go solution at present

• Protects the user – potentially from themselves

• Prompting doesn’t work

• Users make bad decisions

• People don’t read things

• Automatic behaviour

• Give them the chance to click ‘yes’ and they will

• But: technology can’t always take a decision – user still

has to bear responsibility for their own actions


Policy Example

• BONDI provides a policy framework based on OASIS XACML

• 3rd parties can provide policy for users

• Operators, anti-virus vendors, consumer groups, charities etc.?

• Human-readable, easy to create:

• Automated tools for policy creation

<?xml version="1.0" encoding="us-ascii" ?>

- <policy-set combine="deny-overrides" id="9a956cf4-2be8-4c2b-b9a6-7343e48efff6">

- <policy combine="first-applicable" id="3a701221-12cb-4ebe-981d-ee5a5dab76c7" description="permit sms if number in current

country">

- <rule effect="permit">

- <condition>

- <resource-match attr="param:number">

<environment-attr attr="country-code" />

*

</resource-match>

<resource-match attr="device-cap">messaging.sms.send</resource-match>

</condition>

</rule>

- <rule effect="deny">

- <condition>

<resource-match attr="device-cap">messaging.sms.send</resource-match>

</condition>

</rule>

</policy>

</policy-set>


Browser Web runtime

Secure Access

Web engine

Widget

Package

Architecture

Sys

tem

Eve

nts

Co

mm

sH

isto

ry

Ap

pli

ca

tio

n In

vok

e

Me

ssa

gin

g

Ga

lle

ry

Pe

rsis

ten

ce

Ph

on

e S

tatu

s

PIM

Lo

ca

tio

n

Us

er

Inte

racti

on

Ap

pli

ca

tio

n S

ett

ing

s Dynamic

API

New API

Policy

Management

JavaScript ExtensionJavaScript

ErrorsEvents

Ca

me

ra

API

Management

Policy

Web

Package

Operating Systems RTOSs

http://images.google.com/imgres?imgurl=http://www.about-nokia.com/blog/media/pictures/20051102-s60.jpg&imgrefurl=http://www.about-nokia.com/blog/index.php?blogid=1&archive=2005-11&h=44&w=59&sz=2&hl=en&start=2&tbnid=R6esIqtB9xq23M:&tbnh=44&tbnw=59&prev=/images?q=series+60+logo&hl=en&rls=GGLD,GGLD:2007-45,GGLD:en-GB

http://images.google.com/imgres?imgurl=http://upload.wikimedia.org/wikipedia/en/thumb/c/c2/Android-logo.svg/180px-Android-logo.svg.png&imgrefurl=http://centrecom.com/index.php?option=com_content&task=view&id=6&Itemid=2&h=180&w=180&sz=9&hl=en&start=2&tbnid=h8XCA3Da_IfImM:&tbnh=101&tbnw=101&prev=/images?q=android+logo&hl=en&rls=GGLD,GGLD:2007-45,GGLD:en-GB

http://images.google.com/imgres?imgurl=http://www.vayusphere.com/img/logoBrew.gif&imgrefurl=http://www.vayusphere.com/current_partners.htm&h=169&w=261&sz=6&hl=en&start=1&tbnid=g5VFkYXM_wa9zM:&tbnh=73&tbnw=112&prev=/images?q=brew+logo+qualcomm&hl=en&rls=GGLD,GGLD:2007-45,GGLD:en-GB

http://images.google.co.uk/imgres?imgurl=http://www.engadget.com/media/2006/12/palm-logo.jpg&imgrefurl=http://www.engadgetmobile.com/tag/exchange/&h=214&w=216&sz=14&hl=en&start=1&um=1&tbnid=LngKD4vwifIndM:&tbnh=106&tbnw=107&prev=/images?q=garnet+os+logo&um=1&hl=en


Summary

Widgets are coming, be prepared!

• Don’t: be afraid – the risks can be managed

• Don’t: allow unrestricted access to device functions and APIs

• Do: ensure your app stores are properly inspecting submitted widgets

for malicious code

• Do: use digital signatures

• Do: use policy and encourage partners to work on this

• Do: share information on incidents with other industry members


Thanks!

Questions?


Appendix – Additional

Information


BONDI Group -

http://www.linkedin.com/groups?gid=1784510

follow us at “OMTP_BONDI”

http://bondi.omtp.org

http://www.omtp.org

BONDI Group –http://www.facebook.com/home.php#/group.php?gid=59780786136

More information

http://blog.omtpbondi.orgblog

http://bondidev.omtp.orgdev

http://www.linkedin.com/groups?gid=1784510

http://www.facebook.com/home.php




BONDI 1.1 DeliveriesFinal release Jan 2010

• Primary enhancement is the addition of

notification API that can respond to device events System Event APIs

• New Windows Mobile implementation

implementing the updated features

Updated Reference

Implementation

• Online Quality Assurance tools for the BONDI

Compliance Test Suite.

Compliance

Reporting

• Eclipse plug-in, and integrated help to aid

developers Developer tools

• Online signing tools to help widget packaging Security tools


BONDI 1.5 DeliveriesCandidate release planned Mar 2010

•Calls to initiate and handle telephony eventsTelephony API

• Interacting with core Bluetooth features Bluetooth API

• Developer APIs for accelerometer integrationSensors API

• Enhance existing APIs to allow BONDI to

interact with built in applicationsApp launcher API

• A set of requirements to define how and when a

Widget runtime can be updated

Widget Runtime Update

requirements

•Provide the ability for SCWS services to access BONDI APIsSmart Card Web Server

• APIs to interact with DLNA enabled devices DLNADigital Living Network Alliance

• APIs to access SIM capabilities APDU access API


BONDI 2.0 Deliveries

Candidate release planned Sept 2010

•APIs to grant access to security assets and functionsCrypto APIs

•Efficient mechanisms of server based notificationServer Push API

•Protocols and conventions to allow widgets to talk to one

another

Widget

intercommunication

•Negotiation and delivery mechanisms for new APIsAPI Extensibility

•Describing the characteristics of a connection for use in

APIs and policy

Connection Profile

Definition

•An API for using SIM identity in applicationsSubscriber Identity API

•Requirements and APIs to make widgets fit for mission

critical applications

Widget security

enhancements

•A discovery and provisioning protocol for security policies Policy Management

Protocol


W3C SpecificationsWidgets

http://www.w3.org/2008/webapps/wiki/WidgetSpecs

• Widgets 1.0: Packaging & Configuration (P&C)

• Widgets 1.0: Digital Signatures

• Widgets 1.0: Widget Interface

• Widgets 1.0: Widget Access Requests Policy (WARP)

• Widgets 1.0: Widget URIs

• Widgets 1.0: Widget Updates

• Widgets 1.0: View Modes Media Feature

Device APIs and Policy (DAP)

http://www.w3.org/2009/dap/

• Security Policy Framework

• APIs:

• PIM (Contacts, Calendar, Tasks)

• Camera

• Gallery

• Messaging

• System Information and Events

• FileSystem

• Application Launcher

• Application Configuration

• Communications Log

• User Interaction

Others

http://www.w3.org/2008/webapps/wiki/Main_Page

• Web Sockets API

• Web Workers

• Web Storage

• File API

HTML5

http://dev.w3.org/html5/spec/Overview.html

Geolocation

http://www.w3.org/2008/geolocation

© omtp all rights reserved slide 1 - etsi · telephony api •calls to initiate and handle...

Documents