Upload
pragati-ogal-rai
View
276
Download
4
Tags:
Embed Size (px)
Citation preview
Mobile Commerce: A Security Perspective
Pragati Ogal RaiChief Technology Evangelist, PayPal
Inc. @pragatiogal
2
• Author of “Android Application Security Essentials”
• 2014 Zinnov Thought Leadership Award
• Mobile Developer Relations, PayPal North America
• 15+ Years Industry Experience
• Mobile, Android, Security, Payments and Commerce
@pragatiogal
www.slideshare.net/pragatiogal
www.linkedin.com/in/pragati
My Ego Slide!
Mobile commerce is worth US$230 billion
Asia represents almost half of the market
M-Commerce will reach US$700 billion in 2017
http://www.digi-capital.com
Agenda
M-commerce defined
M-commerce ecosystem
End-to-end security
How does it affect me?
M-Commerce defined!
Commerce
www.123rf.comwww.jaipuronline.in
Traditional e-commerce
telegraph.co.uk
Today’s Technology Trends
Global Social
Mobile Local
DigitalService & delivery
Mobile Commerce
Promotions & coupons
Mobile commerce
Payments
Location-based services
In-store research
Self-scanning & self-checkout
Social commerce
Loyalty
Mobile shopping lists
M-Commerce Ecosystem
Infrastructure
Clients Merchants
M-commerce Ecosystem
Disconnected: Off-line m-commerce
• Disconnected
• Privacy
• Integrity of State
Partial Connectivity
Infrastructure Centric Model Merchant Centric Model
Client Centric Model
Partial Connectivity: Security Analysis
End to end security
Privacy
Client-merchant identification
Communication authentication
More points of attack
Full Connectivity
• End to end security
Challenges of m-commerce?
New market players and dynamics
Limitations of client devices
Portability
Pervasive computing
Location aware devices
Merchant machines
Standardization & approvals
Too many expectations
Biggest challenge? End-to-end security
End-to-end Security
Mobile Security StackM
ob
ile S
ecu
rity
Sta
ck Application
Operating System
Device Hardware
Infrastructure/ Network
• Each layer takes care of
it’s own security
• Each layer depends upon
lower layer for security
• Transition between the
layers can cause attacks
Infrastructure/ Network LayerM
ob
ile S
ecu
rity
Sta
ck
Application
Operating System
Device Hardware
Infrastructure/ Network
• Third party networks
• GSM, CDMA, SMS, WAP,
GPS…
• Usually security breach at
this layer is device
agnostic
Breaking GSM
https://srlabs.de/decrypting_gsm/
• GnuRadio is included in recent Linux distributions
• Airprobe: git clone git://git.gnumonks.org/airprobe.git
• Kraken: git clone git://git.srlabs.de/kraken.git
• Kraken uses rainbow tables available through Bittorrent
Device Hardware Layer
Consumer Electronics Devices
Some CEDs are Connected
Computing capability + runs software
Smartphones, tablets, mobile PoS
device, parking meter, vending
machine
Flaw in chip design affects all
hardware based on that chip
Mobile
Secu
rity
Sta
ck
Application
Operating System
Device Hardware
Infrastructure/ Network
Device Hardware
http://gadgetian.com/44495/google-lg-nexus-4-4g-lte-chip-inside-ifixit/
Device Security: Example
Brought to light by user "alephzain" on mobile developer forum XDA Developers, the user claims that the flaw potentially affects Samsung devices that use Exynos processor models 4210 and 4412, specific examples including the Samsung Galaxy S2 and Samsung Galaxy Note 2 which use the dual core, fourth-generation Exynos chips.
"The good news is we can easily obtain root on these devices and the bad is there is no control over it.
Ram dump, kernel code injection and others could be possible via app installation from Play Store. It certainly exists many ways to do that but Samsung give an easy way to exploit. This security hole is dangerous and expose phone to malicious apps.
Exploitation with native C and JNI could be easily feasible."
http://www.zdnet.com/security-flaw-found-in-samsung-handsets-tablets-7000008880/
Operating System LayerM
obile
Secu
rity
S
tack
Application
Device Hardware
Operating System
Infrastructure/ Network
• Android, iOS, Symbian, Windows,
J2ME
• Flaws are most common and are
easily exploited
• Compromises security of
applications
• Flaw affects entire revision of
software
• Patches and security fixes are
common
Android Software Stack
• Permission based
application model
• Linux kernel based process
sandboxing
OS Security: Example
http://www.androidpolice.com/2011/05/17/security-vulnerability-in-most-versions-of-android-allows-attackers-to-steal-your-login-credentials/
Android 2.3.3 and below …..
When you login to an account, an authToken is stored locally on your device for 14 days, allowing you to re-access the service without hassle. Unfortunately, tokens are transferred through an unencrypted channel, so they can easily be intercepted. Once intercepted, the attacker can login to the account associated with the authToken without question.
• Don’t use public Wi-
fi!
• Patched in 2.3.4 and
Honeycomb
Application LayerM
obile
Secu
rity
Sta
ck Application
Operating System
Hardware
Infrastructure/ Network
• Your applications, system
applications, applications you
install
• Coding flaws, exploiting a hole in
OS
• Buffer overflows, data leakage,
custom crypto algorithms,
hardcoded values
Malicious App Examples
Android
Repackaged Apps on Play
posing as TempleRun and
Glu Mobile
Lovetrap: Trojan, sends SMS
Nickispy: Trojan, steals info
Geinimi: Botnet, follows
orders from remote server,
send sensitive info back
iPhone
Trojan sends out contact list
to server
Handy Light: secret
tethering utility
TrustZone: Trusted Execution Environment
www.arm.com
• Two domains: Normal &
Secure
• Implemented as SoC
• Security extensions to
processor
• Trusted OS
• Virtualization
How does it affect me?
Do NOT trust the mobile ecosystem!
Mob
ile S
ecu
rity
Sta
ck Application
Operating System
Hardware
Infrastructure/Network
Only this is in your
control !
Get to know the PCI standard. Period.
PCI Standard Council
Independent organization
PCI PTS approved add-on devices
PA DSS approved applications
Working with mobile vendors for further solutions around mobile payments
Develop common set of payment standards
– PCI-DSS v2.0
– PCA-DSS
– PCI-PTN
– PCI-P2PE
PCI-DSS V2.0
Build and maintain a secure network
Protect cardholder data
Regularly test and monitor networks
Maintain an InfoSec policy
Maintain vulnerability management program
Implement strong access control measures
Encrypt sensitive data at rest and transit
microsoft.com
Avoid storing sensitive data on device
Use OS security features
Lifehacker.com
Authenticate your users
Statetechmagazine.com
Authorized access to user data
www.123rf.com
Use your crypto tools
www.catalogs.com
Identity is a challenge
www.interactiveinsightsgroup.com
Look beyond the hype
www.mashable.com
Summary
M-commerce is a complex space
Understand what mobile means for your business
Identify assets/ threats
Analyze technology being used
Be aware of emerging standards
Use OS security features, crypto tools, identity and
authorization
Pragati Ogal Rai
@pragatiogal
http://www.slideshare.net/pragatiogal
Thank You!