Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Security of Mobile Devices
Jan Eichholz
Innovation Forum Mobility.Communication.Apps
1.2.2013
Innovation Forum
Mobility.Communication.Apps
Secure Mobile Devices, Jan Eichholz
Page 2
Agenda
Mobile Devices and Security
Technologies for secure mobile devices-
Secure Elements
-
The SIMAlliance
Open Mobile API-
The Trusted Execution Environment
Security Certification
Conclusion
Innovation Forum
Mobility.Communication.Apps
Secure Mobile Devices, Jan Eichholz
Page 3
Innovation Forum
Mobility.Communication.Apps
Secure Mobile Devices, Jan Eichholz
Page 4
Wallets are migrating into Smartphones
Local payment via NFC
Mobile banking transactions
Ticketing
Identification
Innovation Forum
Mobility.Communication.Apps
Secure Mobile Devices, Jan Eichholz
Page 5
Source: Wikimedia
Source: wikipedia
Innovation Forum
Mobility.Communication.Apps
Secure Mobile Devices, Jan Eichholz
Page 6
Android Maleware
Source: Kaspersky
Lab
Source: Wikimedia
Innovation Forum
Mobility.Communication.Apps
Secure Mobile Devices, Jan Eichholz
Page 7
Threats for mobile devices
Mobile devices hold significant amounts of personal information and sensitive credentials, which if stolen can be used for a variety
of
malicious purposes
The mobile eco-system presents some characteristics on which attackers can take benefit
-
Always-on –
improving accessibility-
Internet access through Browsers
-
Application markets-
Wireless interfaces (WiFi, 3G, BT, NFC) vulnerable to „Man in the Middle“
or „Relay“
attacks
Innovation Forum
Mobility.Communication.Apps
Secure Mobile Devices, Jan Eichholz
Page 8
Agenda
Mobile Devices and Security
Technologies for secure mobile devices-
Secure Elements
-
The SIMAlliance
Open Mobile API-
The Trusted Execution Environment
Security Certification
Conclusion
Innovation Forum
Mobility.Communication.Apps
Secure Mobile Devices, Jan Eichholz
Page 9
Security Solutions for Trusted Services around the Mobile
Embedded
SE
SIM-based
SE
Removable
SE
Trusted Execution
Environment
SE = Secure Element
NFC
Source: Wikimedia
Innovation Forum
Mobility.Communication.Apps
Secure Mobile Devices, Jan Eichholz
Page 10
Secure Elements – The Security Anchor
Designed to strongly protect data (keys, personal information)
Provides strong cryptography
Only certifiable device which resists side channel attacks
(Laser,
power analysis, ...)
Available in various form factors, with manifold interfaces
Remotely manageable
Interoperable through
Standards
Innovation Forum
Mobility.Communication.Apps
Secure Mobile Devices, Jan Eichholz
Page 11
Secure Elements in Mobile Devices
SIM
-
owned by the mobile network operators-
independent of the handset
-
over-the-air activation and management
Secure micro SD card
-
Owned by a 3rd party (e.g. Bank)-
Removable
Embedded secure element
-
Owned by the handset manufacturer-
Remotely manageable
Innovation Forum
Mobility.Communication.Apps
Secure Mobile Devices, Jan Eichholz
Page 12
Trusted Service Management (TSM)
Over-the-air management of
secure elements and trusted
services
-
Provisioning-
Subscription
-
Deployment-
Life cycle management
Innovation Forum
Mobility.Communication.Apps
Secure Mobile Devices, Jan Eichholz
Page 13
SIMAlliance Open Mobile API
Enables Smart Phone Applications to access any Secure Elements in the device
-
SIM card, μSD, embedded Secure Element, NFC
Can be implemented on any Smart Phone, whatever is their operating system
-
Android version is available
Provides high level service to allow Smart Phone Application to-
Choose a Secure Element
-
Store data in Secure Element-
Send service specific commands
Innovation Forum
Mobility.Communication.Apps
Secure Mobile Devices, Jan Eichholz
Page 14
SIMAlliance Open Mobile API
Further FunctionsFurther
Functions
Mobile Applications
Transport
Acc
ess
Con
trol
SIM Plug in
APIs
Gen
eric
Tr
ansp
ort
Crypto API (PKCS / JCE)
Crypto provider
File
M
anag
emen
t
Aut
hent
icat
ion
Secu
re
Stor
age
ASSD Plug in
Secu
re E
lem
ent
Prov
ider
Inte
rfac
e
Further SEFurther SE
Mobile Device
Secure Elements (e.g. SIM, Secure µSD, …)
SE providerTest SpecificationsMobile Applications
Storage File system Further Functions
Access Control
Tran
spor
tLa
yer
Serv
ice
Laye
rA
pplic
atio
nLa
yer
…
Source: SIMAlliance
Innovation Forum
Mobility.Communication.Apps
Secure Mobile Devices, Jan Eichholz
Page 15
SEEK for Android
Secure Element Evaluation Kit for Android
SIMAlliance
Open Mobile reference
implementation:Smart Card API
You can participate:
http://code.google.com/p/seek-for-android/
Innovation Forum
Mobility.Communication.Apps
Secure Mobile Devices, Jan Eichholz
Page 16
Building blocks of an Trusted Execution Environment
TEE
Road Map
Working Group
TEE
APIs
Working Group
Compliance
and Security
Certification
Working Group
Remote SE
Administration
Working Group
SE
Access Control
Working Group
Innovation Forum
Mobility.Communication.Apps
Secure Mobile Devices, Jan Eichholz
Page 17
Trusted Execution Environment
Is an isolated environment running aside the Smart Device operating system
Hosts Trusted Applications deployed by Service Providers
-
Insuring integrity and confidentiality of services
-
Providing isolation between Trusted and Normal Applications
Provides some easy mean to build services based on
-
Cryptography
-
Secure Storage
-
Secure Time
-
Secure screen display
-
Administration Framework
Designed to allow efficient security certification
Innovation Forum
Mobility.Communication.Apps
Secure Mobile Devices, Jan Eichholz
Page 18
Bringing the technologies together: Secure approach
Innovation Forum
Mobility.Communication.Apps
Secure Mobile Devices, Jan Eichholz
Page 19
Agenda
Mobile Devices and Security
Technologies for secure mobile devices-
Secure Elements
-
The SIMAlliance
Open Mobile API-
The Trusted Execution Environment
Security Certification
Conclusion
Innovation Forum
Mobility.Communication.Apps
Secure Mobile Devices, Jan Eichholz
Page 20
Security Certification
Measuring security is fundamental to offering to all stakeholders a high level and easy-to-read security classification.
Major certification schemes are Common Criteria, EMVCo
and FIPS
Different technologies are requiring different levels of security certification.
-
Being tamper resistant, smart secure devices offer guarantees of the highest level of security
-
TEE is targeting a balanced security certification insurance, compatible with Smart Phone lifecycle
Innovation Forum
Mobility.Communication.Apps
Secure Mobile Devices, Jan Eichholz
Page 21
Agenda
Mobile Devices and Security
Technologies for secure mobile devices-
Secure Elements
-
The SIMAlliance
Open Mobile API-
The Trusted Execution Environment
Security Certification
Conclusion
Innovation Forum
Mobility.Communication.Apps
Secure Mobile Devices, Jan Eichholz
Page 22
Conclusion
The usage of Smartphones
to access Cloud services is exploding. Key is user convenience and connectivity.
The demand of secure mobile solutions is increasing heavily.
Technologies like secure elements, Open Mobile API and Trusted Execution Environment will facilitate the security of mobile applications and transactions.
Innovation Forum
Mobility.Communication.Apps
Secure Mobile Devices, Jan Eichholz
Page 23
Jan Eichholz
Phone +49 89 4119-2684
eMail: [email protected]
Giesecke & Devrient GmbH