Mobile Commerce: A Security Perspective

Pragati Ogal RaiChief Technology Evangelist, PayPal

Inc. @pragatiogal

2

• Author of “Android Application Security Essentials”

• 2014 Zinnov Thought Leadership Award

• Mobile Developer Relations, PayPal North America

• 15+ Years Industry Experience

• Mobile, Android, Security, Payments and Commerce

Pragati.Rai@paypal.com

@pragatiogal

www.slideshare.net/pragatiogal

www.linkedin.com/in/pragati

My Ego Slide!

Mobile commerce is worth US$230 billion

Asia represents almost half of the market

M-Commerce will reach US$700 billion in 2017

http://www.digi-capital.com

Agenda

M-commerce defined

M-commerce ecosystem

End-to-end security

How does it affect me?

M-Commerce defined!

Commerce

www.123rf.comwww.jaipuronline.in

Traditional e-commerce

telegraph.co.uk

Today’s Technology Trends

Global Social

Mobile Local

DigitalService & delivery

Mobile Commerce

Promotions & coupons

Mobile commerce

Payments

Location-based services

In-store research

Self-scanning & self-checkout

Social commerce

Loyalty

Mobile shopping lists

M-Commerce Ecosystem

Infrastructure

Clients Merchants

M-commerce Ecosystem

Disconnected: Off-line m-commerce

• Disconnected

• Privacy

• Integrity of State

Partial Connectivity

Infrastructure Centric Model Merchant Centric Model

Client Centric Model

Partial Connectivity: Security Analysis

End to end security

Privacy

Client-merchant identification

Communication authentication

More points of attack

Full Connectivity

• End to end security

Challenges of m-commerce?

New market players and dynamics

Limitations of client devices

Portability

Pervasive computing

Location aware devices

Merchant machines

Standardization & approvals

Too many expectations

Biggest challenge? End-to-end security

End-to-end Security

Mobile Security StackM

ob

ile S

ecu

rity

Sta

ck Application

Operating System

Device Hardware

Infrastructure/ Network

• Each layer takes care of

it’s own security

• Each layer depends upon

lower layer for security

• Transition between the

layers can cause attacks

Infrastructure/ Network LayerM

ob

ile S

ecu

rity

Sta

ck

Application

Operating System

Device Hardware

Infrastructure/ Network

• Third party networks

• GSM, CDMA, SMS, WAP,

GPS…

• Usually security breach at

this layer is device

agnostic

Breaking GSM

https://srlabs.de/decrypting_gsm/

• GnuRadio is included in recent Linux distributions

• Airprobe: git clone git://git.gnumonks.org/airprobe.git

• Kraken: git clone git://git.srlabs.de/kraken.git

• Kraken uses rainbow tables available through Bittorrent

Device Hardware Layer

Consumer Electronics Devices

Some CEDs are Connected

Computing capability + runs software

Smartphones, tablets, mobile PoS

device, parking meter, vending

machine

Flaw in chip design affects all

hardware based on that chip

Mobile

Secu

rity

Sta

ck

Application

Operating System

Device Hardware

Infrastructure/ Network

Device Hardware

http://gadgetian.com/44495/google-lg-nexus-4-4g-lte-chip-inside-ifixit/

Device Security: Example

Brought to light by user "alephzain" on mobile developer forum XDA Developers, the user claims that the flaw potentially affects Samsung devices that use Exynos processor models 4210 and 4412, specific examples including the Samsung Galaxy S2 and Samsung Galaxy Note 2 which use the dual core, fourth-generation Exynos chips.

"The good news is we can easily obtain root on these devices and the bad is there is no control over it.

Ram dump, kernel code injection and others could be possible via app installation from Play Store. It certainly exists many ways to do that but Samsung give an easy way to exploit. This security hole is dangerous and expose phone to malicious apps.

Exploitation with native C and JNI could be easily feasible."

http://www.zdnet.com/security-flaw-found-in-samsung-handsets-tablets-7000008880/

Operating System LayerM

obile

Secu

rity

S

tack

Application

Device Hardware

Operating System

Infrastructure/ Network

• Android, iOS, Symbian, Windows,

J2ME

• Flaws are most common and are

easily exploited

• Compromises security of

applications

• Flaw affects entire revision of

software

• Patches and security fixes are

common

Android Software Stack

• Permission based

application model

• Linux kernel based process

sandboxing

OS Security: Example

http://www.androidpolice.com/2011/05/17/security-vulnerability-in-most-versions-of-android-allows-attackers-to-steal-your-login-credentials/

Android 2.3.3 and below …..

When you login to an account, an authToken is stored locally on your device for 14 days, allowing you to re-access the service without hassle. Unfortunately, tokens are transferred through an unencrypted channel, so they can easily be intercepted. Once intercepted, the attacker can login to the account associated with the authToken without question.

• Don’t use public Wi-

fi!

• Patched in 2.3.4 and

Honeycomb

Application LayerM

obile

Secu

rity

Sta

ck Application

Operating System

Hardware

Infrastructure/ Network

• Your applications, system

applications, applications you

install

• Coding flaws, exploiting a hole in

OS

• Buffer overflows, data leakage,

custom crypto algorithms,

hardcoded values

Malicious App Examples

Android

Repackaged Apps on Play

posing as TempleRun and

Glu Mobile

Lovetrap: Trojan, sends SMS

Nickispy: Trojan, steals info

Geinimi: Botnet, follows

orders from remote server,

send sensitive info back

iPhone

Trojan sends out contact list

to server

Handy Light: secret

tethering utility

TrustZone: Trusted Execution Environment

www.arm.com

• Two domains: Normal &

Secure

• Implemented as SoC

• Security extensions to

processor

• Trusted OS

• Virtualization

How does it affect me?

Do NOT trust the mobile ecosystem!

Mob

ile S

ecu

rity

Sta

ck Application

Operating System

Hardware

Infrastructure/Network

Only this is in your

control !

Get to know the PCI standard. Period.

PCI Standard Council

Independent organization

PCI PTS approved add-on devices

PA DSS approved applications

Working with mobile vendors for further solutions around mobile payments

Develop common set of payment standards

– PCI-DSS v2.0

– PCA-DSS

– PCI-PTN

– PCI-P2PE

PCI-DSS V2.0

Build and maintain a secure network

Protect cardholder data

Regularly test and monitor networks

Maintain an InfoSec policy

Maintain vulnerability management program

Implement strong access control measures

Encrypt sensitive data at rest and transit

microsoft.com

Avoid storing sensitive data on device

Use OS security features

Lifehacker.com

Authenticate your users

Statetechmagazine.com

Authorized access to user data

www.123rf.com

Use your crypto tools

www.catalogs.com

Identity is a challenge

www.interactiveinsightsgroup.com

Look beyond the hype

www.mashable.com

Summary

M-commerce is a complex space

Understand what mobile means for your business

Identify assets/ threats

Analyze technology being used

Be aware of emerging standards

Use OS security features, crypto tools, identity and

authorization

Pragati Ogal Rai

@pragatiogal

http://www.slideshare.net/pragatiogal

Thank You!