© OMTP All Rights Reserved Slide 1 Surfing with the Sharks

Securing Mobile Widgets

5th ETSI Security Workshop 20th January 2010 Sophia Antipolis, France David Rogers, Director of External Relations, OMTP

Operator Members

Advisor members

• Updating common charger publication with to reflect enhanced Green Chargers power requirements

Bluetooth • Defragmentation of Bluetooth profiles

Camera • Defining standard camera properties

Wired Updates • Defining mechanisms for in store wired updates for devices

Common Errors • Standardising common device errors for simplified reporting

Visual voicemail client • Defining enhancements to existing visual voicemail specifications

Network and battery • Addressing the end to end problem of ensuring multiple applications optimisation can maintain always on connectivity, (network and battery)

• Small self-contained web applications: • CSS, HTML, JavaScript, XML - zipped

• Perfect for mobile – easy to program and distribute • Device independent, cross-platform • Opportunity for Apps everywhere: (overcoming fragmentation) © OMTP All rights reserved Slide 5 Widgets, widgets or widgets? Some examples: Web iGoogle NetVibes Pageflakes My Yahoo! Windows Live c.15 others

AJAX

Access Netfront Mobile Blueprint Desktop Google Gears Yahoo! Konfabulator Java Opera Apple Dashboard Qualcomm Plaza Microsoft Gadgets Yahoo! Blueprint Symbian Klipfolio BluePulse WidX Plasma Mywidz Screenlets Plusmo Webwag Widsets WidX Zumobi

© OMTP All rights reserved Slide 6 Making widgets useful – device APIs • Connects the web world with the real world • Enables richer and more useful applications • Much easier to develop on than proprietary platforms • Mostly mobile but not the future is not limited to that:

Vehicles Televisions & Set-top boxes Diagnostics Weight

Streaming Media Fares / charging Speed

Security & Privacy? White Goods Other Consumer Electronics Messaging Timers Gallery

Temperature sensors Gallery Location

• We are enabling cross-platform, cross-device, easy to develop, highly functional applications: • Will this meet all the criteria for really successful malware on mobile? • Are we opening Pandora’s box?

• A widget that seems benign but is actually spewing out SMSs to premium rate numbers without the user’s knowledge • Could be modified from an original safe widget. • Examples seen in the past, this model could be used for ‘diallers’ too. • Recent warnings on this:

http://www.dailydigest.voolstra.de/wp-content/uploads/2008/03/shark-vs-surfer.jpg

• Location, contacts, gallery… • Silently uploads data to a site from a game? • Clear goal for attackers already: • Numerous high-profile examples in the past • Paris Hilton, Miley Cyrus, Lindsay Lohan • Schoolkids getting a teacher’s private pictures / videos • News of the World, voicemail hacking

• A widget that replaces the voicemail number with a premium rate number instead? • Planting evidence – photos, files etc? • Pure theft of data for various reasons

http://images.paraorkut.com/img/funnypics/images/s/surfers_with_shark-12742.png

• Widgets contain web content – easy to duplicate and masquerade as something legitimate… perhaps a bank?

http://www.f-secure.com/weblog/archives/00001852.html

• On the face of it, widgets look potentially very dangerous • We need to protect the user

• Digital Signing has worked quite well for native applications on mobile so far • Some hiccups • Signing schemes and App Stores have to be very careful what they sign and allow • Not a Panacea, but part of a holistic security solution: • Provides Integrity and Identity • Not a guarantee of authenticity • Process needs to be simple for developers • W3C Widget Digital Signatures spec. • Combined with effective revocation or ‘kill-switches’ this can work well

• Governs and regulates access to physical features • Remotely configurable and managed • Can be updated – intelligent and adaptable • Most devices have a binary go / no-go solution at present • Protects the user – potentially from themselves • Prompting doesn’t work • Users make bad decisions • People don’t read things • Automatic behaviour • Give them the chance to click ‘yes’ and they will • But: technology can’t always take a decision – user still has to bear responsibility for their own actions

• BONDI provides a policy framework based on OASIS XACML • 3rd parties can provide policy for users • Operators, anti-virus vendors, consumer groups, charities etc.? • Human-readable, easy to create:

- - - - - * messaging.sms.send - - messaging.sms.send • Automated tools for policy creation

Web Widget Package Package

Browser Web runtime

Web engine JavaScript Events JavaScript Extension Errors

Secure Access Policy Policy Management

Dynamic API

History API

PIM Management

Gallery

Camera

Location

Messaging

Persistence

Phone Status Phone

System Events System

Comms User Interaction User

Application Settings Application New API Application Invoke Application

Operating Systems RTOSs

Widgets are coming, be prepared!

• Don’t: be afraid – the risks can be managed • Don’t: allow unrestricted access to device functions and APIs • Do: ensure your app stores are properly inspecting submitted widgets for malicious code • Do: use digital signatures • Do: use policy and encourage partners to work on this • Do: share information on incidents with other industry members

© OMTP All rights reserved Slide 20 More information follow us at “OMTP_BONDI” BONDI Group - http://www.linkedin.com/groups?gid=1784510 BONDI Group – http://www.facebook.com/home.php#/group.php?gid=59780786136

blog http://blog.omtpbondi.org

http://bondi.omtp.org

dev http://bondidev.omtp.org

http://www.omtp.org

• Primary enhancement is the addition of System Event APIs notification API that can respond to device events

Updated Reference • New Windows Mobile implementation Implementation implementing the updated features

Compliance • Online Quality Assurance tools for the BONDI Reporting Compliance Test Suite.

• Eclipse plug-in, and integrated help to aid Developer tools developers

Security tools • Online signing tools to help widget packaging

Telephony API •Calls to initiate and handle telephony events

Bluetooth API • Interacting with core Bluetooth features

Sensors API • Developer APIs for accelerometer integration

• Enhance existing APIs to allow BONDI to App launcher API interact with built in applications Widget Runtime Update • A set of requirements to define how and when a requirements Widget runtime can be updated

Smart Card Web Server •Provide the ability for SCWS services to access BONDI APIs

DLNA • APIs to interact with DLNA enabled devices Digital Living Network Alliance

APDU access API • APIs to access SIM capabilities

Crypto APIs •APIs to grant access to security assets and functions

Server Push API •Efficient mechanisms of server based notification

Widget •Protocols and conventions to allow widgets to talk to one intercommunication another

API Extensibility •Negotiation and delivery mechanisms for new APIs

Connection Profile •Describing the characteristics of a connection for use in Definition APIs and policy

Subscriber Identity API •An API for using SIM identity in applications

Widget security •Requirements and APIs to make widgets fit for mission enhancements critical applications Policy Management •A discovery and provisioning protocol for security policies Protocol © OMTP All rights reserved Slide 24 W3C Specifications

Widgets http://www.w3.org/2008/webapps/wiki/WidgetSpecs

• Widgets 1.0: Packaging & Configuration (P&C) Device APIs and Policy (DAP) • Widgets 1.0: Digital Signatures http://www.w3.org/2009/dap/ • Widgets 1.0: Widget Interface • Widgets 1.0: Widget Access Requests Policy (WARP) • Security Policy Framework • Widgets 1.0: Widget URIs • APIs: • Widgets 1.0: Widget Updates • PIM (Contacts, Calendar, Tasks) • Widgets 1.0: View Modes Media Feature • Camera • Gallery • Messaging • System Information and Events Others • FileSystem http://www.w3.org/2008/webapps/wiki/Main_Page • Application Launcher • Application Configuration • Web Sockets API • Communications Log • Web Workers • User Interaction • Web Storage • File API HTML5 http://dev.w3.org/html5/spec/Overview.html Geolocation http://www.w3.org/2008/geolocation