Smartphone Platform Security What can we learn from Symbian? Craig Heath Independent Security Consultant

15 Jan 2015 Franklin Heath Ltd Discussion Points

 Was Symbian OS platform security a success?

 Did developer difficulties with platform security contribute to Symbian’s downfall?

 Could those difficulties have been prevented?

 Did Symbian’s platform security have anything better than today’s successful platforms?

15 Jan 2015 © Franklin Heath Ltd c b CC BY 3.0 2 Symbian OS Versions

Without Platform Security With Platform Security Year Ver. UI Layer Typical Phone Year Ver. UI Layer Typical Phone S60 3rd Edition Nokia 3250 2001 6.0 Series 80 Nokia 9210 2006 9.1 UIQ 3.0 Sony Ericsson P990 S60 1st Edition+FP1 Nokia 7650 S60 3rd Edition FP1 Nokia N95 6.1 2007 9.2 2002 MOAP(S) Fujitsu F2051 UIQ 3.1 & 3.2 Motorola Z8 7.0 UIQ 2.0 (& 2.1) Sony Ericsson P800 9.3 S60 3rd Edition FP2 Samsung i8510 2008 Nokia 5800 2003 7.0S S60 2nd Edition+FP1 Nokia 6600 9.4 S60 5th Edition 2009 Nokia N97 2004 8.0a S60 2nd Edition FP2 Nokia 6630 ^2 MOAP(S) Fujitsu F-07B 2010 ^3 S60 Nokia N8 2005 8.1a S60 2nd Edition FP3 Nokia N90 2011 Anna S60 Nokia E6 2007 8.1b MOAP(S) Fujitsu F905i

15 Jan 2015 © Franklin Heath Ltd c b CC BY 3.0 3 Symbian Platform Security Architecture

 Run-time controls on system and applications  Based on long-established security principles  e.g. “Trusted Computing Base”, “Least Privilege”  Designed for mobile device use cases  low-level, highly efficient implementation  “Capabilities” determine process privileges  checked by APIs which offer security-relevant services  “Data Caging” protects stored data  protected directories for system and for applications  Secure identifiers (“SIDs”) for applications  verified at install-time

15 Jan 2015 © Franklin Heath Ltd c b CC BY 3.0 4 Symbian OS New Malware Strains and Variants Per Month

18 First phones introduced 16 with platform security 14 12 New 10 Variant 8 6 4 2 0

15 Jan 2015 © Franklin Heath Ltd c b CC BY 3.0 5 Developer Difficulties

 Compatibility break  Used as an excuse for fixing accumulated technical debt  Additional complexity  SIDs, data caging, etc.  “How do I know what capabilities I need?”  Difficulty of debugging  “Why can’t you just turn the security off?”  Cost of approval and signing  ...even though it was steadily reduced over time  Delays caused by approval and signing process  Rejections were common

15 Jan 2015 © Franklin Heath Ltd c b CC BY 3.0 6 Aside: Symbian OS C++

 Same language and environment for apps as the OS (and/or UI)  In principle allows third party developers to produce powerful apps  ... but harder to work with in-progress documentation and finicky tools  Non-standard C++ “idioms”  Descriptors, active objects, cleanup stack  ANSI exception handling came too late  Technically good (vastly more power efficient)  ... but steep learning curve  Alternatives were either too little (CDC Java, MIDP Java)  ... or too late (PIPS, Qt)

15 Jan 2015 © Franklin Heath Ltd c b CC BY 3.0 7 Symbian Signed Capability Groups

Extended Extended User Manufacturer (System) (Restricted)

LocalServices PowerMgmt CommDD AllFiles Location ProtServ DiskAdmin DRM NetworkServices ReadDeviceData NetworkControl TCB ReadUserData SurroundingsDD MultimediaDD UserEnvironment SwEvent WriteUserData TrustedUI WriteDeviceData

15 Jan 2015 © Franklin Heath Ltd c b CC BY 3.0 8 Symbian Signed Capability Groups

Unverified Verified with Publisher ID Additional Unsigned Developer Developer Group Capabilities Express Certified or Certificate Certificate Permitted Signed Signed Self-signed per IMEI(s) per IMEI(s) install-time User 6 user prompt Yes Yes Extended 7 Yes Yes (System) Extended 4 (Restricted) OEM OEM Manufacturer 3 approval approval

15 Jan 2015 © Franklin Heath Ltd c b CC BY 3.0 9 Symbian Signed Costs

 2004, initially a branding / co-marketing programme  All outsourced costs passed to publisher (could be over $1000 per app)  Most developers were their own publisher  2006, required for “non-user-grantable” platform security capabilities  Standardised testing, lowest price €195  Still required $395 publisher ID annually  2007, reduced costs but increased complexity  Publisher IDs reduced to $200  “Express Signed” $20  subset of “extended” capabilities, self-testing with random auditing afterwards  2010, streamlined test criteria  Express Signed €10, Certified Signed €150  2010, Nokia pays for and performs signing for Ovi Store submissions

15 Jan 2015 © Franklin Heath Ltd c b CC BY 3.0 10

What Could We Have Done Differently?

 Needed more clout and/or money  Google were able to ignore operator demands  Apple were able to phase out DRM  Apple were able to subsidise approval process  CA-issued publisher IDs were probably a mistake  Self-signed works for Google Android  Didn’t help us track down malicious actors  Robustness was pretty good  User experience was pretty good

15 Jan 2015 © Franklin Heath Ltd c b CC BY 3.0 11 Discussion Points

 Was Symbian OS platform security a success?

 Did developer difficulties with platform security contribute to Symbian’s downfall?

 Could those difficulties have been prevented?

 Did Symbian’s platform security have anything better than today’s successful platforms?

15 Jan 2015 © Franklin Heath Ltd c b CC BY 3.0 12