Franklin Heath Ltd30 September 2011

Mobile Application Security and Mobile Security Applications: Sticks and CarrotsCraig HeathIndependent Mobile Security Consultant

CC BY 3.02© Franklin Heath Ltd

Topics

Who the [heck] are you?

Why can’t you turn this [stupid] security off?

Comparing security frameworks on the main platforms

What’s in it for me?

Security apps that vendors and operators aren’t doingNotarised call recording

Premium charge warning

Trustworthy viewport30 September 2011

CC BY 3.03© Franklin Heath Ltd

My Background

Working in systems software security since 1989UNIX and Enterprise Java

Focus on mobile platforms since 2002Responsible for Symbian’s platform security strategy

Lead author of the book “Symbian OS Platform Security”

Chief Security Technologist at the Symbian Foundation

Now providing independent security consultancySet up Franklin Heath Ltd in November 2010

30 September 2011

CC BY 3.0

Why We Need Application Security

Bad guys are deploying malicious phone apps to defraud people for commercial gainStealing virtual goods and credits

Premium rate messaging fraud

Phishing (e.g. banking MTANs)

People need and expect their phones to be more trustworthy than their PCs have beenEmergency calls

Personal data (e.g. location, contacts, photos)

30 September 2011 4© Franklin Heath Ltd

CC BY 3.0

Fraudulent Apps are Real

30 September 2011 5© Franklin Heath Ltd

CC BY 3.0

Mobile Device Security and Privacy Does MatterOrganised crime is monetising mobile

vulnerabilitiesZitMo in Europe, trojans in China and Russia

Phone software platforms are becoming more uniform

Easier to target a bigger “addressable market”

Android market share increasing, iPhone steady

But don’t forget “legacy” Symbian devices (still 100s of millions)

Widespread privacy breaches are sensitising peoplee.g. Sony PlayStation Network

WSJ coverage of bad practice in mobile applications

30 September 2011 6© Franklin Heath Ltd

CC BY 3.0

Comparing Application Testing

Apple and Google are two extremes of approachiTunes app store inspects every application and can

reject for arbitrary reasonsGood for consumers, bad for developers

Android Market “common carrier” approach: pass though everything submitted, remove apps only if complaints madeGood for developers, bad for consumers

Symbian Signed did standardised third-party testingMiddle ground, manages costs, but provides little

defence against deliberate malwareNote that Nokia app store adds additional manual

QA inspection

30 September 2011 7© Franklin Heath Ltd

CC BY 3.0

Comparing Application Signing

Developer signing requirements varyAndroid: “self-signed”, free to create a certificate

iPhone: Apple developer registration includes certificate cost

Symbian Signed required a third-party, $200, certificate

Signing party for “production” apps also variesiTunes, Amazon uses only an app store signature

Android Market uses only the developer signature

Symbian Signed uses only the certifier signature

30 September 2011 8© Franklin Heath Ltd

CC BY 3.0

Comparing Copy Protection

iTunes app store uses Apple proprietary FairPlay DRM

Android Market doesn’t provide automatic copy protection, but Google provides libraries for developers to invoke a licence server

Nokia app store has lightweight “forward lock” copy protection

30 September 2011 9© Franklin Heath Ltd

CC BY 3.0

Opportunity: Put the User in Control

Ways to benefit end user, not the vendor or operatorCorrecting “information asymmetries” to benefit

consumers

More usable control over personal information sharing

Tools for the paranoid (or security professional )

Putting users in control of their own data and their own charges is the right thing to doBut usability is key

Don’t cause security prompt blindness

Don’t put the responsibility on them as a cop-out1030 September 2011 © Franklin Heath Ltd

CC BY 3.0© Franklin Heath Ltd

Idea 1: Notarised Call Recording

“Reciprocal Transparency” – who watches the watchers?

When you call a utility company, do you hear “this call may be recorded”?

it’s being recorded for their benefit, not yours

Have you ever been told they will do something, but when you call back: “I’m sorry, I have no record of that”?

probably they do, but you can’t prove it: information asymmetry

Why isn’t this built in to my phone?Hypothesis: difficult to do legally in all jurisdictions?30 September 2011 11

CC BY 3.012© Franklin Heath Ltd

Idea 1: Notarised Call RecordingWhat can be done?Even a simple recording would help, with the

call logbut unlikely to be good enough evidence to use in

court

Could combine this with a “digital notary”take a hash of the recording (prevents future

tampering)

have the hash signed by a trusted third party with a time stamp

proves that the recording was made at or before that time

Make sure it’s legal in the UKPlay a recorded announcement at the start? (=

reciprocal)

30 September 2011

CC BY 3.013© Franklin Heath Ltd

Idea 2: Premium Charge Warning Premium rate voice and SMS service providers in the

UK are required by law to advise consumers of their charges in advance

but they haven’t always done this is the most obvious way

malware isn’t going to respect this

In the UK, you can discover the charges with a free SMS (76787)

also available as a web-based online number checker

but I doubt many people use this regularly

It would be much more useful if your phone did this for you

operators may not like this (could discourage use of legitimate services)

30 September 2011

CC BY 3.014© Franklin Heath Ltd

Idea 2: Premium Charge WarningWhat can be done?Filter to check numbers your phone is calling

and texting, and warning before the call is placed if it’s premium rate“allow this application to spend 50p?” would be far

more usable than “allow this application to make phone calls and send text messages?”

Could be extended to enforce rules, e.g.allow this application to spend up to £5allow this application to send 2 texts per day

But, data isn’t easily available, and the hooks aren’t easily accessible on all phone platformsa “proof of concept” app could allow pressure to be

brought30 September 2011

CC BY 3.0

Idea 2: Premium Charge WarningProof-of-concept PossibilitiesScreen-scraping of the PhonePayPlus number

checkerhttp://www.phonepayplus.org.uk/Number-Checker/C

heck-a-Number-Results.aspx?ncn=number

Trapping the call/SMS before it’s sentOn Android, ACTION_NEW_OUTGOING_CALL

broadcast action allows voice calls to be interceptedNo equivalent for SMS?

Charge information for number ranges is available commerciallyCould it be a marketing opportunity for the holders

to make it available for free in some way, limited to this purpose?

Could it be made available as part of government Open Data?

30 September 2011 15© Franklin Heath Ltd

CC BY 3.016© Franklin Heath Ltd

Idea 3: Trustworthy Viewport

Typical desktop web commerce model is for the user to enter a password to confirm the transactionOK if the user confirms they are giving it to the

payment provider and not to a “phishing” site

Mobile browsers lack the visual security cuesNo room on a small screen for the window “chrome”

Apps can draw on the entire display area

Desktop model of entering password to authorize the transaction is dangerous on mobile

30 September 2011

CC BY 3.017

Examples of Insecure Mobile Experience for In-App Payments

30 September 2011 © Franklin Heath Ltd

CC BY 3.018© Franklin Heath Ltd

Idea 3: Trustworthy ViewportWhat can be done?Have a “helper” app provide the UI for

password entry

Show the user something that a malicious app can’te.g. Yahoo! “sign-in seal”, 3D Secure “Personal

Assurance Message”

Couple that with a clear indication of the origin of the view contentsc.f. Internet Explorer highlighting the 2nd level

domain, Firefox green background for EV server certificates, etc.

Wrapper for Android WebView?30 September 2011

CC BY 3.0

Open Discussion…

30 September 2011 19© Franklin Heath Ltd