23
Security of Mobile Devices Jan Eichholz Innovation Forum Mobility.Communication.Apps 1.2.2013

Security of Mobile Devices€¦ · Mobile Devices and Security Technologies for secure mobile devices-Secure Elements-The SIMAlliance Open Mobile API-The Trusted Execution Environment

  • Upload
    others

  • View
    7

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Security of Mobile Devices€¦ · Mobile Devices and Security Technologies for secure mobile devices-Secure Elements-The SIMAlliance Open Mobile API-The Trusted Execution Environment

Security of Mobile Devices

Jan Eichholz

Innovation Forum Mobility.Communication.Apps

1.2.2013

Page 2: Security of Mobile Devices€¦ · Mobile Devices and Security Technologies for secure mobile devices-Secure Elements-The SIMAlliance Open Mobile API-The Trusted Execution Environment

Innovation Forum

Mobility.Communication.Apps

Secure Mobile Devices, Jan Eichholz

Page 2

Agenda

Mobile Devices and Security

Technologies for secure mobile devices-

Secure Elements

-

The SIMAlliance

Open Mobile API-

The Trusted Execution Environment

Security Certification

Conclusion

Page 3: Security of Mobile Devices€¦ · Mobile Devices and Security Technologies for secure mobile devices-Secure Elements-The SIMAlliance Open Mobile API-The Trusted Execution Environment

Innovation Forum

Mobility.Communication.Apps

Secure Mobile Devices, Jan Eichholz

Page 3

Page 4: Security of Mobile Devices€¦ · Mobile Devices and Security Technologies for secure mobile devices-Secure Elements-The SIMAlliance Open Mobile API-The Trusted Execution Environment

Innovation Forum

Mobility.Communication.Apps

Secure Mobile Devices, Jan Eichholz

Page 4

Wallets are migrating into Smartphones

Local payment via NFC

Mobile banking transactions

Ticketing

Identification

Page 5: Security of Mobile Devices€¦ · Mobile Devices and Security Technologies for secure mobile devices-Secure Elements-The SIMAlliance Open Mobile API-The Trusted Execution Environment

Innovation Forum

Mobility.Communication.Apps

Secure Mobile Devices, Jan Eichholz

Page 5

Source: Wikimedia

Source: wikipedia

Page 6: Security of Mobile Devices€¦ · Mobile Devices and Security Technologies for secure mobile devices-Secure Elements-The SIMAlliance Open Mobile API-The Trusted Execution Environment

Innovation Forum

Mobility.Communication.Apps

Secure Mobile Devices, Jan Eichholz

Page 6

Android Maleware

Source: Kaspersky

Lab

Source: Wikimedia

Page 7: Security of Mobile Devices€¦ · Mobile Devices and Security Technologies for secure mobile devices-Secure Elements-The SIMAlliance Open Mobile API-The Trusted Execution Environment

Innovation Forum

Mobility.Communication.Apps

Secure Mobile Devices, Jan Eichholz

Page 7

Threats for mobile devices

Mobile devices hold significant amounts of personal information and sensitive credentials, which if stolen can be used for a variety

of

malicious purposes

The mobile eco-system presents some characteristics on which attackers can take benefit

-

Always-on –

improving accessibility-

Internet access through Browsers

-

Application markets-

Wireless interfaces (WiFi, 3G, BT, NFC) vulnerable to „Man in the Middle“

or „Relay“

attacks

Page 8: Security of Mobile Devices€¦ · Mobile Devices and Security Technologies for secure mobile devices-Secure Elements-The SIMAlliance Open Mobile API-The Trusted Execution Environment

Innovation Forum

Mobility.Communication.Apps

Secure Mobile Devices, Jan Eichholz

Page 8

Agenda

Mobile Devices and Security

Technologies for secure mobile devices-

Secure Elements

-

The SIMAlliance

Open Mobile API-

The Trusted Execution Environment

Security Certification

Conclusion

Page 9: Security of Mobile Devices€¦ · Mobile Devices and Security Technologies for secure mobile devices-Secure Elements-The SIMAlliance Open Mobile API-The Trusted Execution Environment

Innovation Forum

Mobility.Communication.Apps

Secure Mobile Devices, Jan Eichholz

Page 9

Security Solutions for Trusted Services around the Mobile

Embedded

SE

SIM-based

SE

Removable

SE

Trusted Execution

Environment

SE = Secure Element

NFC

Source: Wikimedia

Page 10: Security of Mobile Devices€¦ · Mobile Devices and Security Technologies for secure mobile devices-Secure Elements-The SIMAlliance Open Mobile API-The Trusted Execution Environment

Innovation Forum

Mobility.Communication.Apps

Secure Mobile Devices, Jan Eichholz

Page 10

Secure Elements – The Security Anchor

Designed to strongly protect data (keys, personal information)

Provides strong cryptography

Only certifiable device which resists side channel attacks

(Laser,

power analysis, ...)

Available in various form factors, with manifold interfaces

Remotely manageable

Interoperable through

Standards

Page 11: Security of Mobile Devices€¦ · Mobile Devices and Security Technologies for secure mobile devices-Secure Elements-The SIMAlliance Open Mobile API-The Trusted Execution Environment

Innovation Forum

Mobility.Communication.Apps

Secure Mobile Devices, Jan Eichholz

Page 11

Secure Elements in Mobile Devices

SIM

-

owned by the mobile network operators-

independent of the handset

-

over-the-air activation and management

Secure micro SD card

-

Owned by a 3rd party (e.g. Bank)-

Removable

Embedded secure element

-

Owned by the handset manufacturer-

Remotely manageable

Page 12: Security of Mobile Devices€¦ · Mobile Devices and Security Technologies for secure mobile devices-Secure Elements-The SIMAlliance Open Mobile API-The Trusted Execution Environment

Innovation Forum

Mobility.Communication.Apps

Secure Mobile Devices, Jan Eichholz

Page 12

Trusted Service Management (TSM)

Over-the-air management of

secure elements and trusted

services

-

Provisioning-

Subscription

-

Deployment-

Life cycle management

Page 13: Security of Mobile Devices€¦ · Mobile Devices and Security Technologies for secure mobile devices-Secure Elements-The SIMAlliance Open Mobile API-The Trusted Execution Environment

Innovation Forum

Mobility.Communication.Apps

Secure Mobile Devices, Jan Eichholz

Page 13

SIMAlliance Open Mobile API

Enables Smart Phone Applications to access any Secure Elements in the device

-

SIM card, μSD, embedded Secure Element, NFC

Can be implemented on any Smart Phone, whatever is their operating system

-

Android version is available

Provides high level service to allow Smart Phone Application to-

Choose a Secure Element

-

Store data in Secure Element-

Send service specific commands

Page 14: Security of Mobile Devices€¦ · Mobile Devices and Security Technologies for secure mobile devices-Secure Elements-The SIMAlliance Open Mobile API-The Trusted Execution Environment

Innovation Forum

Mobility.Communication.Apps

Secure Mobile Devices, Jan Eichholz

Page 14

SIMAlliance Open Mobile API

Further FunctionsFurther

Functions

Mobile Applications

Transport

Acc

ess

Con

trol

SIM Plug in

APIs

Gen

eric

Tr

ansp

ort

Crypto API (PKCS / JCE)

Crypto provider

File

M

anag

emen

t

Aut

hent

icat

ion

Secu

re

Stor

age

ASSD Plug in

Secu

re E

lem

ent

Prov

ider

Inte

rfac

e

Further SEFurther SE

Mobile Device

Secure Elements (e.g. SIM, Secure µSD, …)

SE providerTest SpecificationsMobile Applications

Storage File system Further Functions

Access Control

Tran

spor

tLa

yer

Serv

ice

Laye

rA

pplic

atio

nLa

yer

Source: SIMAlliance

Page 15: Security of Mobile Devices€¦ · Mobile Devices and Security Technologies for secure mobile devices-Secure Elements-The SIMAlliance Open Mobile API-The Trusted Execution Environment

Innovation Forum

Mobility.Communication.Apps

Secure Mobile Devices, Jan Eichholz

Page 15

SEEK for Android

Secure Element Evaluation Kit for Android

SIMAlliance

Open Mobile reference

implementation:Smart Card API

You can participate:

http://code.google.com/p/seek-for-android/

Page 16: Security of Mobile Devices€¦ · Mobile Devices and Security Technologies for secure mobile devices-Secure Elements-The SIMAlliance Open Mobile API-The Trusted Execution Environment

Innovation Forum

Mobility.Communication.Apps

Secure Mobile Devices, Jan Eichholz

Page 16

Building blocks of an Trusted Execution Environment

TEE

Road Map

Working Group

TEE

APIs

Working Group

Compliance

and Security

Certification

Working Group

Remote SE

Administration

Working Group

SE

Access Control

Working Group

Page 17: Security of Mobile Devices€¦ · Mobile Devices and Security Technologies for secure mobile devices-Secure Elements-The SIMAlliance Open Mobile API-The Trusted Execution Environment

Innovation Forum

Mobility.Communication.Apps

Secure Mobile Devices, Jan Eichholz

Page 17

Trusted Execution Environment

Is an isolated environment running aside the Smart Device operating system

Hosts Trusted Applications deployed by Service Providers

-

Insuring integrity and confidentiality of services

-

Providing isolation between Trusted and Normal Applications

Provides some easy mean to build services based on

-

Cryptography

-

Secure Storage

-

Secure Time

-

Secure screen display

-

Administration Framework

Designed to allow efficient security certification

Page 18: Security of Mobile Devices€¦ · Mobile Devices and Security Technologies for secure mobile devices-Secure Elements-The SIMAlliance Open Mobile API-The Trusted Execution Environment

Innovation Forum

Mobility.Communication.Apps

Secure Mobile Devices, Jan Eichholz

Page 18

Bringing the technologies together: Secure approach

Page 19: Security of Mobile Devices€¦ · Mobile Devices and Security Technologies for secure mobile devices-Secure Elements-The SIMAlliance Open Mobile API-The Trusted Execution Environment

Innovation Forum

Mobility.Communication.Apps

Secure Mobile Devices, Jan Eichholz

Page 19

Agenda

Mobile Devices and Security

Technologies for secure mobile devices-

Secure Elements

-

The SIMAlliance

Open Mobile API-

The Trusted Execution Environment

Security Certification

Conclusion

Page 20: Security of Mobile Devices€¦ · Mobile Devices and Security Technologies for secure mobile devices-Secure Elements-The SIMAlliance Open Mobile API-The Trusted Execution Environment

Innovation Forum

Mobility.Communication.Apps

Secure Mobile Devices, Jan Eichholz

Page 20

Security Certification

Measuring security is fundamental to offering to all stakeholders a high level and easy-to-read security classification.

Major certification schemes are Common Criteria, EMVCo

and FIPS

Different technologies are requiring different levels of security certification.

-

Being tamper resistant, smart secure devices offer guarantees of the highest level of security

-

TEE is targeting a balanced security certification insurance, compatible with Smart Phone lifecycle

Page 21: Security of Mobile Devices€¦ · Mobile Devices and Security Technologies for secure mobile devices-Secure Elements-The SIMAlliance Open Mobile API-The Trusted Execution Environment

Innovation Forum

Mobility.Communication.Apps

Secure Mobile Devices, Jan Eichholz

Page 21

Agenda

Mobile Devices and Security

Technologies for secure mobile devices-

Secure Elements

-

The SIMAlliance

Open Mobile API-

The Trusted Execution Environment

Security Certification

Conclusion

Page 22: Security of Mobile Devices€¦ · Mobile Devices and Security Technologies for secure mobile devices-Secure Elements-The SIMAlliance Open Mobile API-The Trusted Execution Environment

Innovation Forum

Mobility.Communication.Apps

Secure Mobile Devices, Jan Eichholz

Page 22

Conclusion

The usage of Smartphones

to access Cloud services is exploding. Key is user convenience and connectivity.

The demand of secure mobile solutions is increasing heavily.

Technologies like secure elements, Open Mobile API and Trusted Execution Environment will facilitate the security of mobile applications and transactions.

Page 23: Security of Mobile Devices€¦ · Mobile Devices and Security Technologies for secure mobile devices-Secure Elements-The SIMAlliance Open Mobile API-The Trusted Execution Environment

Innovation Forum

Mobility.Communication.Apps

Secure Mobile Devices, Jan Eichholz

Page 23

Jan Eichholz

Phone +49 89 4119-2684

eMail: [email protected]

Giesecke & Devrient GmbH