Managing sensitive data in mobile applications

Paweł Jakub Dawidek CTO

<p.dawidek@mobter.com>

a bit of history

in 2004 we start a company (Wheel Systems)

after 12 years... mission not yet fully accomplished, but really soon now

in 2005 we deploy CERB (corporate version) for the first time

our mission: eliminate static passwords!

our product: authentication system (CERB) which uses mobile application

as one-time password generatorit is 2004, so the name for the app is

obvious: JavaToken

in 2007 we deploy CERB Banking in Eurobank

in 2013 we launch Mobter

JavaToken

Can run on (almost) any Java phone

Implements AES, SHA256

Fits easily into 30kB limit

challenges

no SSL/TLS (no secure transport)

no AppStore, no Google Play

no applications signing

no secure updates

internet communication only during installation

no PIN to unlock your phone, no TouchID, etc.

not enough power to harden PIN

no full disk encryption

30kB application size limit

solutions

.jar contains a secret encrypted using activation code

application built-in secret

dedicated .jar for every customer

activation code provided in bank outpost

unpredictable URL send via WAP-Push or SMS (no access for bank’s employees)

start identifier

challenge compression (9 digits)

no local PIN verification (a playing card hint, 6.25%, 625)

technologies available back then

desktop OS vs. mobile OS

application isolation

much more secure installation process

mobile OSes designed for single user

separation between applications

autonomous platform (problem when compromised)

native apps allow for better security than web sites (eg. certificate pinning)

Android fragmentation problem (two dimensions)

much harder and longer to update for security fixes

Android customized by hardware vendors and mobile operators

much slower adoption for new security features

various security features not available for all hardware vendors

data protection

iOS

credit: NCC Group

iOS

credit: NCC Group

Android

credit: NCC Group

Android

credit: NCC Group

Questions?