mobile commerce security presentation by mahmoud youssef mohamed phd candidate – it major
TRANSCRIPT
Mobile Commerce SecurityMobile Commerce Security
Presentation By
Mahmoud Youssef Mohamed
PhD Candidate – IT major
TopicsTopics
Mobile Commerce: The future of E-commerceMobile Commerce: The future of E-commerce
Mobile Commerce ApplicationsMobile Commerce Applications
Mobile Computing TechnologiesMobile Computing Technologies
New Security RisksNew Security Risks
New Privacy RisksNew Privacy Risks
Software RisksSoftware Risks
ConclusionConclusion
What is Mobile CommerceWhat is Mobile Commerce
Mobile Commerce (M-Commerce) is an Mobile Commerce (M-Commerce) is an emerging discipline involving emerging discipline involving applications, mobile devices, wireless applications, mobile devices, wireless networks, location technologies, and networks, location technologies, and middleware middleware [Cousins and Varshney][Cousins and Varshney]
Mobile devices usually use a different Mobile devices usually use a different set of Internet protocol called the set of Internet protocol called the Wireless Application Protocol (WAP)Wireless Application Protocol (WAP)
The Enabling TechnologiesThe Enabling Technologies
Wireless NetworksWireless Networks Wireless WAN (CDPD)Wireless WAN (CDPD) Wireless LAN (802.11a and 802.11b)Wireless LAN (802.11a and 802.11b) Short Range (Bluetooth)Short Range (Bluetooth) Radio Frequency Identification (RFID)Radio Frequency Identification (RFID)
Location TechnologiesLocation Technologies Outdoor TechnologiesOutdoor Technologies
– Infrastructure-basedInfrastructure-based– Device-basedDevice-based
Indoor TechnologiesIndoor Technologies Mobile DevicesMobile Devices Programming Standards (J2ME)Programming Standards (J2ME)
The Market OpportunityThe Market Opportunityfor M-Commercefor M-Commerce
Reports from Siemens and Ericsson (2001) predict:Reports from Siemens and Ericsson (2001) predict: the number of mobile devices to reach 500 million the number of mobile devices to reach 500 million
devices by 2002, anddevices by 2002, and 1 billion devices by 20041 billion devices by 2004
Durlacher (2000) expects the European market to Durlacher (2000) expects the European market to reach € 23 billion by 2003reach € 23 billion by 2003
Mobile advertising will be the killer application with Mobile advertising will be the killer application with 23% of the market size and mobile shopping will be 23% of the market size and mobile shopping will be the third major application with 15% of the market the third major application with 15% of the market size size
Mobile Commerce ApplicationsMobile Commerce Applications
Source (Ovum): http://www.ovum.comSource (Ovum): http://www.ovum.com
•Mobile Financial ServicesMobile Financial Services
•Mobile Security ServicesMobile Security Services
•Mobile ShoppingMobile Shopping
•Mobile AdvertisingMobile Advertising
•Mobile Dynamic Information ManagementMobile Dynamic Information Management
•Mobile Information ProvisioningMobile Information Provisioning
•Mobile EntertainmentMobile Entertainment
•Mobile TelematicsMobile Telematics
•Mobile Customer Care Mobile Customer Care
Mobile Commerce ApplicationsMobile Commerce Applications
Mobile Computing TechnologiesMobile Computing Technologies
Mobile Computing EnvironmentMobile Computing Environment
Wireless Application Protocol (WAP) Wireless Application Protocol (WAP) ArchitectureArchitecture
BluetoothBluetooth
Comparison between Internet Comparison between Internet and WAP technologiesand WAP technologies
Mobile Computing EnvironmentMobile Computing Environment
Source: Barbara, D. 1999, Mobile Computing and Databases – A surveySource: Barbara, D. 1999, Mobile Computing and Databases – A survey
WAP ArchitectureWAP Architecture
Source: WAP Forum, Wireless Application Protocol OverviewSource: WAP Forum, Wireless Application Protocol Overview
Web Server
Content
CGIScripts
etc.
WM
L D
ecks
wit
h W
ML
-Scr
ipt
WAP Gateway
WML Encoder
WMLScriptCompiler
Protocol Adapters
Client
WML
WML-Script
WTAI
Etc.
HTTPWSP/WTP
Comparison between Internet and WAP technologiesComparison between Internet and WAP technologies
Source: WAP Forum, Wireless Application Protocol OverviewSource: WAP Forum, Wireless Application Protocol Overview
HTMLJavaScript
HTTP
TLS - SSL
TCP/IPUDP/IP
Wireless Application Protocol
Wireless ApplicationEnvironment (WAE)
Session Layer (WSP)
Security Layer (WTLS)
Transport Layer (WDP)
Other Services andApplications
Transaction Layer (WTP)
SMS USSD CSD IS-136 CDMA CDPD PDC-P Etc..
Bearers:
BluetoothBluetooth
Bluetooth is the codename for a small, low-cost, Bluetooth is the codename for a small, low-cost, short range wireless technology specification short range wireless technology specification
Enables users to connect a wide range of Enables users to connect a wide range of computing and telecommunication devices computing and telecommunication devices easily and simply, without the need to buy, easily and simply, without the need to buy, carry, or connect cables.carry, or connect cables.
Bluetooth enables mobile phones, computers Bluetooth enables mobile phones, computers and PDAs to connect with each other using and PDAs to connect with each other using short-range radio waves, allowing them to "talk" short-range radio waves, allowing them to "talk" to each otherto each other
It is also cheapIt is also cheap
Bluetooth SecurityBluetooth Security
Bluetooth provides security between any two Bluetooth devices for user protection and secrecy
mutual and unidirectional authentication encrypts data between two devices Session key generation
• configurable encryption key length• keys can be changed at any time during a connection
Authorization (whether device X is allowed to have access service Y)• Trusted Device: The device has been previously authenticated, a link key
is stored and the device is marked as “trusted” in the Device Database.
• Untrusted Device: The device has been previously authenticated, link key is stored but the device is not marked as “trusted” in the Device Database
• Unknown Device: No security information is available for this device. This is also an untrusted device.
automatic output power adaptation to reduce the range exactly to requirement, makes the system extremely difficult to eavesdrop
New Security RisksNew Security Risks
• Abuse of cooperative nature of ad-hoc Abuse of cooperative nature of ad-hoc networksnetworks
• An adversary that compromises one node can An adversary that compromises one node can disseminate false routing information.disseminate false routing information.
• Malicious domainsMalicious domains
• A single malicious domain can compromise A single malicious domain can compromise devices by downloading malicious codedevices by downloading malicious code
• Roaming (are you going to the bad guys ?)Roaming (are you going to the bad guys ?)
• Users roam among non-trustworthy domainsUsers roam among non-trustworthy domains
New Security Risks Cont’dNew Security Risks Cont’d
• Launching attacks from mobile devicesLaunching attacks from mobile devices
• With mobility, it is difficult to identify attackersWith mobility, it is difficult to identify attackers
• Loss or theft of deviceLoss or theft of device
• More private information than desktop computersMore private information than desktop computers
• Security keys might have been saved on the deviceSecurity keys might have been saved on the device
• Access to corporate systemsAccess to corporate systems
• BluetoothBluetooth provides security at the lower layers only: a provides security at the lower layers only: a stolen device can still be trustedstolen device can still be trusted
New Security Risks Cont’dNew Security Risks Cont’d
• Problems with Wireless Transport Layer Security Problems with Wireless Transport Layer Security (WTLS) protocol(WTLS) protocol
• Security Classes:Security Classes:
• No certificatesNo certificates
• Server only certificate (Server only certificate (Most CommonMost Common))
• Server and client CertificatesServer and client Certificates
• Re-establishing connection without re-authenticationRe-establishing connection without re-authentication
• Requests can be redirected to malicious sitesRequests can be redirected to malicious sites
New Privacy RisksNew Privacy Risks
• Monitoring user’s private informationMonitoring user’s private information
• Examples: DoubleClick and EngageExamples: DoubleClick and Engage
• Offline telemarketingOffline telemarketing
• Examples: At&T and SprintExamples: At&T and Sprint
• Who is going to read the “legal jargon”Who is going to read the “legal jargon”
• Value added services based on location Value added services based on location awareness (Location-Based Services)awareness (Location-Based Services)
• Example: Pushing cuisine information and couponsExample: Pushing cuisine information and coupons
Targeted Marketing ApplicationsTargeted Marketing Applications
Keeping customers interested mandates Keeping customers interested mandates personalization (Based on their user profiles)personalization (Based on their user profiles)
Adding location to the customer selection Adding location to the customer selection criteria makes it even more effective.criteria makes it even more effective.
Much information can be inferred by linking a Much information can be inferred by linking a user profile to her current locationuser profile to her current location
W3C’s Platform for Privacy Preferences (P3P)W3C’s Platform for Privacy Preferences (P3P) informing users about the privacy policy of the informing users about the privacy policy of the
cites they visitcites they visit
Privacy ProtectionPrivacy Protection
Considerable privacy protection can be achieved Considerable privacy protection can be achieved by designing an access control model that enables by designing an access control model that enables the user to define the access modes granted to the user to define the access modes granted to merchants based on:merchants based on:
The individual merchant or a class of merchantsThe individual merchant or a class of merchants The time interval in the queryThe time interval in the query The location windows in the queryThe location windows in the query
However, centralized management of profiles is However, centralized management of profiles is needed.needed.
Software RisksSoftware Risks
Wireless Application Protocol (WAP) RisksWireless Application Protocol (WAP) Risks
Platform RisksPlatform Risks
Java SecurityJava Security
Application RisksApplication Risks
WMLScriptWMLScript
Risks of WMLScriptRisks of WMLScript
WAP RisksWAP Risks
• WAP GapWAP Gap
• Claim: WTLS protects WAP as SSL protects Claim: WTLS protects WAP as SSL protects HTTPHTTP
• Problem: In the process of translating one Problem: In the process of translating one protocol to another, information is decrypted protocol to another, information is decrypted and re-encryptedand re-encrypted
• Recall the Recall the WAP Architecture
• Solution: Doing decryption/re-encryption in the Solution: Doing decryption/re-encryption in the same process on the WAP gatewaysame process on the WAP gateway
• Wireless gateways as single point of failure Wireless gateways as single point of failure
Platform RisksPlatform Risks
• Without a secure OS, achieving security on mobile Without a secure OS, achieving security on mobile devices is almost impossibledevices is almost impossible
• Learned lessons:Learned lessons:
• Memory protection of processesMemory protection of processes
• Protected kernel ringsProtected kernel rings
• File access controlFile access control
• Authentication of principles to resourcesAuthentication of principles to resources
• Differentiated user and process privilegesDifferentiated user and process privileges
• Sandboxes for untrusted codeSandboxes for untrusted code
• Biometric authenticationBiometric authentication
What is Java?What is Java?
The most robust, easy-to-use, versatile language available todayThe most robust, easy-to-use, versatile language available today Applications written for traditional operating systems are tied directly Applications written for traditional operating systems are tied directly
to that platform and cannot be easily ported to other platforms to that platform and cannot be easily ported to other platforms often vendors need to provide different versions of the same softwareoften vendors need to provide different versions of the same software
Java has Write Once/Run Anywhere executablesJava has Write Once/Run Anywhere executables allows Java programs written on one type of hardware or OS to run allows Java programs written on one type of hardware or OS to run
unmodified on almost any other type of computerunmodified on almost any other type of computer Best aspects is that it is architecture neutralBest aspects is that it is architecture neutral
Java applications
Java Virtual Machine
Unix Windows OS/2 MacOS Sparc Intel/Others PowerPC
What is Java?What is Java?
Java is both interpreted and compiledJava is both interpreted and compiled interpreted languages - BASICinterpreted languages - BASIC
– translates line-by-line and executes them, so translates line-by-line and executes them, so slowerslower
compiled languages - COBOL, C, C++, FORTRANcompiled languages - COBOL, C, C++, FORTRAN
– translates the entire program into machine code translates the entire program into machine code and then the machine code is executed, so fasterand then the machine code is executed, so faster
First, source code is compiled to an intermediate code called First, source code is compiled to an intermediate code called bytecodebytecode
Java runtime interpreter then translates the complied bytecode to Java runtime interpreter then translates the complied bytecode to machine codemachine code
bytecode is different from machine code (more like assembly bytecode is different from machine code (more like assembly language)language)
includes the best aspects of C/C++, leaving out complicated includes the best aspects of C/C++, leaving out complicated aspects such as multiple inheritance, pointers etc. aspects such as multiple inheritance, pointers etc.
What is mobile code?What is mobile code?
Mobile code is a general term that refers to executable code Mobile code is a general term that refers to executable code that migrates and executes on remote hoststhat migrates and executes on remote hosts
Code travels from server machine to the client machineCode travels from server machine to the client machine
Provides Provides rich data displayrich data display
– a stock broker may publish the results of a financial analysis a stock broker may publish the results of a financial analysis modelmodel
– instead of publishing the result of the model as a graph, the instead of publishing the result of the model as a graph, the broker could publish the model itself with connections to live broker could publish the model itself with connections to live stock market data and customer’s portfoliostock market data and customer’s portfolio
efficient use of networkefficient use of network
What is Mobile Code?What is Mobile Code?
Types of Mobile CodeTypes of Mobile Code One-hop agentsOne-hop agents
sent on demand from a server to a client machine and executedsent on demand from a server to a client machine and executed after execution, the result generated by the agent or the agent itself is after execution, the result generated by the agent or the agent itself is
sent to the owner who sent itsent to the owner who sent it e.g. Java appletse.g. Java applets
– Applet is a small piece of executable code, which Applet is a small piece of executable code, which may be included in a web pagemay be included in a web page
Multi-hop agentsMulti-hop agents sent on the network to perform a series of taskssent on the network to perform a series of tasks These agents may visit multiple agent platforms and communicate with These agents may visit multiple agent platforms and communicate with
other agentsother agents you may send personalized agents to roam the Internet. you may send personalized agents to roam the Internet.
– To monitor your favorite Web sitesTo monitor your favorite Web sites– get you the ticket you couldn't get at the box officeget you the ticket you couldn't get at the box office– help you to schedule meetings for your next overseas help you to schedule meetings for your next overseas
trip.trip.
Threats to and due to mobile codeThreats to and due to mobile code
Malicious code Malicious code may disclose or damage our private datamay disclose or damage our private data spend our money?spend our money? Crash the system?Crash the system? challenge is to execute useful applets while protecting challenge is to execute useful applets while protecting
systems from malicious codesystems from malicious code Malicious hostMalicious host
challenge is to protect the agents from malicious challenge is to protect the agents from malicious serversservers
Techniques to prevent malicious codeTechniques to prevent malicious code
Code blockingCode blocking authenticationauthentication safe interpreterssafe interpreters fault isolationfault isolation code inspection and verificationcode inspection and verification
Code blockingCode blocking
Disabling applicationsDisabling applications switching off Java in Java-enabled browsersswitching off Java in Java-enabled browsers relies on users complying with the security policyrelies on users complying with the security policy not easy to administer in a large environmentnot easy to administer in a large environment prevents intranet use of mobile codeprevents intranet use of mobile code
FilteringFiltering firewalls to filter web pages containing appletsfirewalls to filter web pages containing applets does not rely on user compliancedoes not rely on user compliance management can be centralizedmanagement can be centralized
Code blocking using firewallsCode blocking using firewalls
Rewriting <applet> tagsRewriting <applet> tags browser does not receive the <applet> and so no browser does not receive the <applet> and so no
applet is fetchedapplet is fetched Blocking by hex signaturesBlocking by hex signatures
Java class files start with a 4-byte hex signature CA Java class files start with a 4-byte hex signature CA FE BA BEFE BA BE
apply in combination with <applet> blockerapply in combination with <applet> blocker Blocking by filenamesBlocking by filenames
files with names ending .classfiles with names ending .class need to handle .zip files that encapsulate Java class need to handle .zip files that encapsulate Java class
filesfiles
Authentication Authentication
Achieved through code signingAchieved through code signing based on the assurance obtained when the source of the based on the assurance obtained when the source of the
code is trustedcode is trusted on receiving the mobile code, client verifies whether it on receiving the mobile code, client verifies whether it
was signed by an entity on a trusted listwas signed by an entity on a trusted list used in JDK 1.1 and Active Xused in JDK 1.1 and Active X once signature is verified, code has full privilegesonce signature is verified, code has full privileges ProblemsProblems
trust model is all or nothing (trusted versus untrusted)trust model is all or nothing (trusted versus untrusted) needs public key infrastructureneeds public key infrastructure limits users (the untrusted code may be useful and benign)limits users (the untrusted code may be useful and benign) no protection if the code from a trusted source is maliciousno protection if the code from a trusted source is malicious
Safe InterpretersSafe Interpreters
Instead of using compiled executables, interpret Instead of using compiled executables, interpret mobile codemobile code
interpreter enforces a security policyinterpreter enforces a security policy each instruction is executed only if it satisfies the each instruction is executed only if it satisfies the
security policysecurity policy Examples of safe interpretersExamples of safe interpreters
Safe-Tel Safe-Tel telescripttelescript Java VMJava VM
Safe interpreter: The Sandbox Safe interpreter: The Sandbox security modelsecurity model
The applet’s actions are restricted to a sandboxThe applet’s actions are restricted to a sandbox the applet may do anything it wants within its sandbox, but the applet may do anything it wants within its sandbox, but
cannot read or alter any data outside of its sandboxcannot read or alter any data outside of its sandbox Applets and applicationsApplets and applications
Local code is trusted and has full access to system resourcesLocal code is trusted and has full access to system resources downloaded remote code is restricteddownloaded remote code is restricted Java applications may be purchased and installed just like Java applications may be purchased and installed just like
traditional applications, these are trustedtraditional applications, these are trusted
Valuable Resources
JVM
sandboxLocal code
Remote code
Building the sandboxBuilding the sandbox class loaderclass loader
responsible for loading classesresponsible for loading classes given class name, fetches remote applet’s code (I.e, locates, given class name, fetches remote applet’s code (I.e, locates,
generates its definitions)generates its definitions) keeps namespaces of different applets separatekeeps namespaces of different applets separate
bytecode verifierbytecode verifier checks a classfile for validity (bytecode conformance to language checks a classfile for validity (bytecode conformance to language
specification and that there are no violations of Java language rules)specification and that there are no violations of Java language rules)
– code has only valid instructionscode has only valid instructions– code does not overflow or underflow stackcode does not overflow or underflow stack– does not change the data types illegallydoes not change the data types illegally
goal is to prevent access to underlying machine via crashes, goal is to prevent access to underlying machine via crashes, undefined states undefined states
Building the SandboxBuilding the Sandbox security managersecurity manager
enforces the boundaries of the sandboxenforces the boundaries of the sandbox whenever an applet tries to perform an action, the Java whenever an applet tries to perform an action, the Java
virtual machine first asks the security manger if the action virtual machine first asks the security manger if the action can be performed safelycan be performed safely
JVM performs the action only if the security manager JVM performs the action only if the security manager approvesapproves
e.g, a trusted applet from the local disk trying to read the e.g, a trusted applet from the local disk trying to read the diskdisk
imported untrusted applet may be trying to connect back to imported untrusted applet may be trying to connect back to its home serverits home server
if no security manager installed, all privileges are grantedif no security manager installed, all privileges are granted
Building the sandboxBuilding the sandbox Security manager will not allow Security manager will not allow
untrusted applet to read/write to a file, delete a file, get any untrusted applet to read/write to a file, delete a file, get any info about a file, execute OS commands or native code, info about a file, execute OS commands or native code, load a library, establish a network connection to any load a library, establish a network connection to any machine other than the applet’s home servermachine other than the applet’s home server
Extensions to the SandboxExtensions to the Sandbox
JDK 1.1.xJDK 1.1.x supports digitally signed appletssupports digitally signed applets if signature can be verified, a remote applet is treated if signature can be verified, a remote applet is treated
as local trusted codeas local trusted code JDK 1.2JDK 1.2
no concept of local trusted codeno concept of local trusted code all code is subject to verificationall code is subject to verification fine grained domain based and extensible access fine grained domain based and extensible access
controlcontrol– typed and grouped permissionstyped and grouped permissions
configurable security policyconfigurable security policy
Application Risks to Mobile DevicesApplication Risks to Mobile Devices
• Java Virtual Machine (JVM) implementationJava Virtual Machine (JVM) implementation
• No type check is implemented
• No sandbox or stack introspection
• The use of C language with its related The use of C language with its related problemsproblems
• Security tradeoffs imposed by limited Security tradeoffs imposed by limited capabilitiescapabilities
WMLScriptWMLScript
• Scripting is heavily used for client-side
processing to offload servers and reduce
demand on bandwidth
• Wireless Markup Language (WML) is the
equivalent to HTML, but derived from XML
• WMLScript is WAP’s equivalent to JavaScript
• Derived from JavaScript™
WMLScript Cont’dWMLScript Cont’d
• Integrated with WML
• Reduces network traffic
• Has procedural logic, loops, conditionals, etc
• Optimized for small-memory, small-CPU
devices
• Bytecode-based virtual machine
• Compiler in network
• Works with Wireless Telephony Application
(WTA) to provide telephony functions
Risks of WMLScript
• Lack of Security Model Lack of Security Model
• Does not differentiate trusted local code from untrusted code Does not differentiate trusted local code from untrusted code downloaded from the Internet. So, there is no access control!!downloaded from the Internet. So, there is no access control!!
• WML Script is not type-safe.WML Script is not type-safe.
• Scripts can be scheduled to be pushed to the client device Scripts can be scheduled to be pushed to the client device without the user’s knowledgewithout the user’s knowledge
• Does not prevent access to persistent storageDoes not prevent access to persistent storage
• Possible attacks:Possible attacks:
• Theft or damage of personal informationTheft or damage of personal information
• Abusing user’s authentication informationAbusing user’s authentication information
• Maliciously offloading money saved on smart cardsMaliciously offloading money saved on smart cards
ConclusionConclusion
• The platform and languages used have failed to adopt fundamental security concepts
• Encrypted communication protocols are necessary to provide confidentiality, integrity, and authentication services to m-commerce application
• The greatest risk is possibly coming from mobile code
Conclusion Cont’dConclusion Cont’d
• Some of these problems are expected to be fixed in the near future. However, other problems will continuo to exist.
• Security models have to be part of the design
• Currently, accumulated experience in the security field has not been fully utilized in mobile commerce systems.
• The success of mobile commerce will depend critically on the level of security available.