assessing mobile device platforms (e-government, m-government context)

IAIK

AssessingMobile Device

PlatformsEGOVIS 2013

Thomas Zefferer, Sandra Kreuzhuber, Peter Teufl

IAIK

Background

A-SIT: Security consulting for public insititutions

IAIK: IT security research

Combination: Awesome :-)

Thomas Zefferer Sandra Kreuzhuber Peter Teufl

A-SIT

IAIK

Mobile Device SecuritySensitive data

Location, documents, credentials etc.

Problems

Threats: theft, malicious software etc.

Heterogeneous platformsiOS, Android, Windows Phone,Windows Store, Blackberry, ...

Complexity: securing the systemsdeveloping secure applications

IAIK

Deployment ScenariosE-Gov/M-Gov context

Use Cases

Internal usage (public/private sector):

Mobile-Device-Management (MDM) solution

Bring-Your-Own-Device (BYOD)

Citizen

Citizen applications (within M-Gov context)

IAIK

Internal Use - MDMSecurity policy modeled via MDM system

Mobile device locked down according topolicy/requirements

PLUS

Most secure deployment scenario

MINUS

Not possibile for citizen applications

Internal use: pressure by BYOD concept

IAIK

Internal Use - BYODDevice belongs to the user

No MDM deployment

Deployment of BYOD solutions on the user’s device(container applications, application wrapping)

PLUS

User has full control over the device

MINUS

Security!

Legal and technical issues

IAIK

Citizen - MGov Applications

Applications developed for the citizen

Probably handling of critical data (personal data, etc.)

Similar considerations as for BYOD (however even fewer restrictions)

Considerations are also valid for non M-Gov apps

Banking apps, password safes, theft protection apps etc.

IAIK

Assets, Threats

Assets

Data:credentials, application data, location, emails, SMS, contacts, usage patterns ... ... ...

Threats

Theft

Malware

IAIK

Platform Security Features

Data Protection

Access protection

Encryption

Secure storage of credentials

MDM

Malware Resistance

Application APIs, sources

Permission system

Rooting, jailbreaking?

OS security

Updates, fragmentation

Security Analysis?

IAIK

Access protection, encryption, secure storage of credentials

How does the encryption system work?

Is encryption based on a hardware element?

Is the user’s PIN involved in the key derivation function?

What is the scope of the encryption system?

What does the developer need to know?

How are backups encrypted?

Access Protection

IAIK

Example: iOS/Android EncryptionLock-Screen Type Length Chars

Number of passcodes

Brute-Force Days

Numerical 4 10 10000 0.06 10 1000000 0.98 10 100000000 92.6

10 10 10000000000 9,259.3

Alphanum 4 36 1679616 1.610/26 letters 6 36 2176782336 2,015.5

7 36 78364164096 72,559.48 36 2.82111E+12 2,612,138.89 36 1.0156E+14 94,036,996.9

10 36 3.65616E+15 3,385,331,888.9

Alphanum 4 62 14776336 13.75 62 916132832 848.3

10/52 letters 6 62 56800235584 52,592.87 62 3.52161E+12 3,260,754.38 62 2.1834E+14 202,166,764.49 62 1.35371E+16 12,534,339,394.7

Complex 4 107 131079601 121.45 107 14025517307 12,986.66 107 1.50073E+12 1,389,565.17 107 1.60578E+14 148,683,470.08 107 1.71819E+16 15,909,131,294.7

iOS on device

Brute-Force Days 1 instance

Brute-Force Days (1000 instances)

Cost $ On-Demand Instances

0.0 0.0 0.00.0 0.0 0.00.0 0.0 1.32.6 0.0 133.3

0.0 0.0 0.00.6 0.0 29.0

20.7 0.0 1,044.9746.3 0.7 37,614.8

26,867.7 26.9 1,354,132.8967,237.7 967.2 48,748,779.2

0.0 0.0 0.20.2 0.0 12.2

15.0 0.0 757.3931.6 0.9 46,954.9

57,761.9 57.8 2,911,201.43,581,239.8 3,581.2 180,494,487.3

0.0 0.0 1.73.7 0.0 187.0

397.0 0.4 20,009.742,481.0 42.5 2,141,042.0

4,545,466.1 4,545.5 229,091,490.6Android Amazon GPUAndroid Amazon GPU GPU Price

IAIK

Mobile Device Management

Mobile Device Management (MDM)

Which rules?

How is the system integratedinto the mobile device OS?

Fragmentation?

IAIK

ApplicationsApplication sources? Defined markets? Alternative sources (email, etc.)?

Application APIs?

Security, system integration etc.

Security: What does the developerneed to know?

Permission System?

Usability, which permissions?

IAIK

Core Security

OS security

low level malware protection (buffer overflows, sandboxes, operating sytem architecture, programming languages)

Updates, fragmentation

Updates?

Fragmentation of OS versions?

Fragmentations of functionality (due to extensions of the OS)?

IAIK

Platform Security - Managed

Managed devices

Which criteria?

MDM, MAM: functionality!

Applications (when not restricted)

Data Protection (mainly encryption)

MDMSecurity Config

MAM App App

App App

Smartphone

IAIK

BYODChallenging in terms of security(and also legal considerations)!

Device is not managed!

Activation of OS security features depends on the user

Solutions:

Container applications

Application wrappers

OS integrated solutions (Blackberry Balance)

IAIK

MDM, BYODMDM

Security Config

MAM App App

App App

Smartphone

Container App Management

Security Config

Container App

App App

Smartphone

Application Wrapper

Management

Security Config

Smartphone

App

App App

App

MDM

Security Config

MAM

Business Area

App App

Security Config

Private Area

Smartphone

App App

MDM ContainerApp

App Wrappers BlackberryBalance

IAIK

BYODContainer Applications

Provide mail, contactsbrowser, calendarsecure file storage in a specific application

Application cannot assume a secureenvironment:Needs to implement its own security features

encryption, secure communication, root/jailbreak checks

highly platform specific(need to know the security features, APIs etc.)

IAIK

ExampleContainer applications (also valid for mGov applications with sensitive data)

Key Derivation (from password to encryption key)is a key requirement for secure encryption systems

Key derivation principles

Salt (no pre-calculated password tables

Long derivation time (e.g. 80ms per passcode, on iOS)

Need to have cryptographic knowhow to get it right

Mistakes: simple brute-force attacks...

Data encryption key

Passcode

Keyderivation

Derived key

Salt

IAIK

Example

Lock-Screen Type Length Chars

Number of passcodes Brute-Force DaysBrute-Force Days

Cost $ Reserved (3 Years)

Numerical 4 10 100006 10 10000008 10 100000000

10 10 10000000000

Alphanum 4 36 167961610/26 letters 6 36 2176782336

7 36 783641640968 36 2.82111E+129 36 1.0156E+14

10 36 3.65616E+15

Alphanum 4 62 147763365 62 916132832

10/52 letters 6 62 568002355847 62 3.52161E+128 62 2.1834E+149 62 1.35371E+16

Complex 4 107 1310796015 107 140255173076 107 1.50073E+127 107 1.60578E+148 107 1.71819E+16

Lock-Screen Type Length Chars

Number of passcodes Brute-Force DaysBrute-Force Days

Cost $ Reserved (3 Years)

Numerical 4 10 100006 10 10000008 10 100000000

10 10 10000000000

Alphanum 4 36 167961610/26 letters 6 36 2176782336

7 36 783641640968 36 2.82111E+129 36 1.0156E+14

10 36 3.65616E+15

Alphanum 4 62 147763365 62 916132832

10/52 letters 6 62 568002355847 62 3.52161E+128 62 2.1834E+149 62 1.35371E+16

Complex 4 107 1310796015 107 140255173076 107 1.50073E+127 107 1.60578E+148 107 1.71819E+16

Brute-Force Days

0.00.9

92.69,259.3

1.62,015.5

72,559.42,612,138.8

94,036,996.93,385,331,888.9

13.7848.3

52,592.83,260,754.3

202,166,764.412,534,339,394.7

121.412,986.6

1,389,565.1148,683,470.0

15,909,131,294.7iOS on device

Lock-Screen Type Length Chars

Number of passcodes Brute-Force DaysBrute-Force Days Cost $ GPU

Numerical 4 10 10000 0.0 0.0 0.06 10 1000000 0.0 0.0 0.08 10 100000000 0.0 0.0 0.0

10 10 10000000000 0.2 0.0 0.0

Alphanum 4 36 1679616 0.0 0.0 0.010/26 letters 6 36 2176782336 0.0 0.0 0.0

7 36 78364164096 1.3 0.0 0.28 36 2.82111E+12 46.6 0.0 8.39 36 1.0156E+14 1,679.2 1.7 299.0

10 36 3.65616E+15 60,452.4 60.5 10,763.7

Alphanum 4 62 14776336 0.0 0.0 0.05 62 916132832 0.0 0.0 0.0

10/52 letters 6 62 56800235584 0.9 0.0 0.27 62 3.52161E+12 58.2 0.1 10.48 62 2.1834E+14 3,610.1 3.6 642.89 62 1.35371E+16 223,827.5 223.8 39,852.9

Complex 4 107 131079601 0.0 0.0 0.05 107 14025517307 0.2 0.0 0.06 107 1.50073E+12 24.8 0.0 4.47 107 1.60578E+14 2,655.1 2.7 472.78 107 1.71819E+16 284,091.6 284.1 50,583.1

IAIK

Citizen Application

Citizen applications for handling criticial data

(similar to banking apps, password safes)

same considerations as for container applications

arbitrary environment (even less restricted as in BYOD), devices, versions

threat of malware (arbitrary application sources, malware)

IAIK

Best Practice ManagediOS:

encryption, MDM, application security/features

Android:

highly depends on the platform!

Stock Android: Lacking important MDM features!

Windows Phone/Windows Store:

Lacking MDM features, VPN (8.1 update...), otherwise comparable to iOS

Blackberry: Balance Framework! Good architecture.

IAIK

Best Practice BYOD

Blackberry:

Balance framework: Huge plus (integrated BYOD solution)

iOS, Windows Phone/Store:

Huge advantages over Android

Android:

Alternative sources, deeply integrated system APIs, malware situation

IAIK

Best Practice Citizen AppNo platform choice, market and users decide

Developing apps which handle sensitive data

Know the platforms, their security features, weaknesses

Development by a security aware team: cryptography, IT security, detailed knowledge about the platforms

Keep data on the device limited

iOS, Windows Phone, Blackberry easier to handle. Android ???

IAIK

References, Contact

peter.teufl@iaik.tugraz.atthomas.zefferer@iaik.tugraz.at

Refs:

https://sites.google.com/site/acnws2012/

http://www.iaik.tugraz.at/content/about_iaik/people/teufl_peter/

contact me if you need the PDFs, slides

IAIK

Thx, and enjoy Praha!