usable security for smartphones
DESCRIPTION
Usable Security for Smartphones. Cynthia Kuo Senior Researcher October 26, 2010. Many Development Platforms. Worldwide Smartphone Sales to End Users by Operating System in 2Q10. Coming soon… Windows Phone 7 MeeGo (Maemo + Moblin) BlackBerry Tablet OS. - PowerPoint PPT PresentationTRANSCRIPT
Nokia Research Center
Usable Security for SmartphonesCynthia KuoSenior ResearcherOctober 26, 2010
1
Nokia Research Center
Many Development Platforms
2
http://www.gartner.com/it/page.jsp?id=1421013
Worldwide Smartphone Sales to End Users by Operating System in 2Q10
Coming soon…Windows Phone 7MeeGo (Maemo +
Moblin) BlackBerry Tablet OS
Nokia Research Center
A Few Usable Security Topics in Smartphones • Better application permissions models• Using smartphones for authentication• Better models for website authentication• Phone-friendly CAPTCHAs• Lost or stolen devices / data backup and restoration
3
Nokia Research CenterCompany Confident
ial
Application Permissions: Threat Model
4
PC• Many users share the
same machine• Protect users from one
another• Implement access
control on users’ data
Smartphone• One user, one device• Users may install malicious
applications• Protect processes from
one another• Implement access control
on resources• Protect business model
Nokia Research CenterCompany Confident
ial
Application Permissions: Symbian
5
Symbian signed• Application has passed
certain tests and is signed against a certificate
• Signed installation package contains a list of the application’s capabilities
Company Confidential5
Nokia Research Center
Application Permissions: Symbian
Self-signed• Has no capabilities• User can grant
capabilities• Blanket
• Installation time• One-shot
• When the requiring action takes place
Nokia Research CenterCompany Confident
ial
Application Permissions: BlackBerry
• Resource grant during installation and first start
• Configurable through menu• May also be configured by
administrator through BlackBerry Enterprise Server
• Application installation• Application permissions • Data that application can
access
7
Nokia Research CenterCompany Confident
ial
Application Permissions: iPhone
• Codesigning used for certifying applications that pass app store requirements
• All apps need to be signed by Apple's private key(s) to run on (non-jailbroken) iPhone
• Password demonstrates user’s intent to install
• No options or requests for resource access
8
Nokia Research CenterCompany Confident
ial
Application Permissions: Android
• Applications are self-signed • Used for continuity
(package updates) and integrity
• Android’s blanket grant during installation
• 112 Google-defined permissions
• Developers can define their own permissions to expose APIs to other applications
9
Content from David Barrera
Nokia Research Center
Using Smartphones for Authentication
10
[ Coming up next! ]
Nokia Research Center
Better Model for Authenticating Websites
11
Nokia Research Center
Better CAPTCHAs?
12
Alex Smolen, Becky Hurwitz, Dhawal Mujumdar, UC Berkeley i213 Spring 2010 Project
Nokia Research CenterCompany Confident
ial
Lost or Stolen Devices / Data Backup and Restoration• When your phone is your primary device, what happens when you lose
it?
13
Nokia Research Center
Summary: A Few Usable Security Topics
• Better application permissions models• Using smartphones for authentication• Better models for website authentication• Phone-friendly CAPTCHAs• Lost or stolen devices / data backup and restoration
14
