Paweł Jakub Dawidek: Zarządzanie danymi wrażliwymi w aplikacjach - analiza bezpieczeństwa...
-
Upload
mobile-trends -
Category
Mobile
-
view
295 -
download
4
Transcript of Paweł Jakub Dawidek: Zarządzanie danymi wrażliwymi w aplikacjach - analiza bezpieczeństwa...
a bit of history
in 2004 we start a company (Wheel Systems)
after 12 years... mission not yet fully accomplished, but really soon now
in 2005 we deploy CERB (corporate version) for the first time
our mission: eliminate static passwords!
our product: authentication system (CERB) which uses mobile application
as one-time password generatorit is 2004, so the name for the app is
obvious: JavaToken
in 2007 we deploy CERB Banking in Eurobank
in 2013 we launch Mobter
JavaToken
Can run on (almost) any Java phone
Implements AES, SHA256
Fits easily into 30kB limit
challenges
no SSL/TLS (no secure transport)
no AppStore, no Google Play
no applications signing
no secure updates
internet communication only during installation
no PIN to unlock your phone, no TouchID, etc.
not enough power to harden PIN
no full disk encryption
30kB application size limit
solutions
.jar contains a secret encrypted using activation code
application built-in secret
dedicated .jar for every customer
activation code provided in bank outpost
unpredictable URL send via WAP-Push or SMS (no access for bank’s employees)
start identifier
challenge compression (9 digits)
no local PIN verification (a playing card hint, 6.25%, 625)
technologies available back then
desktop OS vs. mobile OS
application isolation
much more secure installation process
mobile OSes designed for single user
separation between applications
autonomous platform (problem when compromised)
native apps allow for better security than web sites (eg. certificate pinning)
Android fragmentation problem (two dimensions)
much harder and longer to update for security fixes
Android customized by hardware vendors and mobile operators
much slower adoption for new security features
various security features not available for all hardware vendors
data protection
iOS
credit: NCC Group
iOS
credit: NCC Group
Android
credit: NCC Group
Android
credit: NCC Group
Questions?