© OMTP All rights reserved Slide 1 Surfing with the Sharks Securing Mobile Widgets 5th ETSI Security Workshop 20th January 2010 Sophia Antipolis, France David Rogers, Director of External Relations, OMTP © OMTP All rights reserved Slide 2 OMTP – Who are we? Sponsor members Operator Members Advisor members © OMTP All rights reserved Slide 3 OMTP Non-BONDI Activity • Updating common charger publication with to reflect enhanced Green Chargers power requirements Bluetooth • Defragmentation of Bluetooth profiles Camera • Defining standard camera properties Wired Updates • Defining mechanisms for in store wired updates for devices Common Errors • Standardising common device errors for simplified reporting Visual voicemail client • Defining enhancements to existing visual voicemail specifications Network and battery • Addressing the end to end problem of ensuring multiple applications optimisation can maintain always on connectivity, (network and battery) © OMTP All rights reserved Slide 4 What are Widgets? • Small self-contained web applications: • CSS, HTML, JavaScript, XML - zipped = • Perfect for mobile – easy to program and distribute • Device independent, cross-platform • Opportunity for Apps everywhere: (overcoming fragmentation) © OMTP All rights reserved Slide 5 Widgets, widgets or widgets? Some examples: Web iGoogle NetVibes Pageflakes My Yahoo! Windows Live c.15 others AJAX Access Netfront Mobile Blueprint Desktop Google Gears Yahoo! Konfabulator Java Opera Apple Dashboard Qualcomm Plaza Microsoft Gadgets Yahoo! Blueprint Symbian Klipfolio BluePulse WidX Plasma Mywidz Screenlets Plusmo Webwag Widsets WidX Zumobi © OMTP All rights reserved Slide 6 Making widgets useful – device APIs • Connects the web world with the real world • Enables richer and more useful applications • Much easier to develop on than proprietary platforms • Mostly mobile but not the future is not limited to that: Vehicles Televisions & Set-top boxes Diagnostics Weight Streaming Media Fares / charging Speed Security & Privacy? White Goods Other Consumer Electronics Messaging Timers Gallery Temperature sensors Gallery Location © OMTP All rights reserved Slide 7 What are the Dangers? • We are enabling cross-platform, cross-device, easy to develop, highly functional applications: • Will this meet all the criteria for really successful malware on mobile? • Are we opening Pandora’s box? http://i393.photobucket.com/albums/pp12/mario12_023/surfer1.jpg © OMTP All rights reserved Slide 8 Example 1 – Premium Rate Abuse • A widget that seems benign but is actually spewing out SMSs to premium rate numbers without the user’s knowledge • Could be modified from an original safe widget. • Examples seen in the past, this model could be used for ‘diallers’ too. • Recent warnings on this: http://www.dailydigest.voolstra.de/wp-content/uploads/2008/03/shark-vs-surfer.jpg © OMTP All rights reserved Slide 9 Example 2 – Privacy Breach • Location, contacts, gallery… • Silently uploads data to a site from a game? • Clear goal for attackers already: • Numerous high-profile examples in the past • Paris Hilton, Miley Cyrus, Lindsay Lohan • Schoolkids getting a teacher’s private pictures / videos • News of the World, voicemail hacking http://img.photobucket.com/albums/v251/joserouse/Surfing/Yikes.jpg © OMTP All rights reserved Slide 10 Example 3 – Integrity Breach • A widget that replaces the voicemail number with a premium rate number instead? • Planting evidence – photos, files etc? • Pure theft of data for various reasons http://images.paraorkut.com/img/funnypics/images/s/surfers_with_shark-12742.png © OMTP All rights reserved Slide 11 Example 4 – Phishing • Widgets contain web content – easy to duplicate and masquerade as something legitimate… perhaps a bank? http://www.f-secure.com/weblog/archives/00001852.html © OMTP All rights reserved Slide 12 Making it safe to surf • On the face of it, widgets look potentially very dangerous • We need to protect the user “If I say it’s safe to surf this beach, then it’s safe to surf this beach!” © OMTP All rights reserved Slide 13 Signing • Digital Signing has worked quite well for native applications on mobile so far • Some hiccups • Signing schemes and App Stores have to be very careful what they sign and allow • Not a Panacea, but part of a holistic security solution: • Provides Integrity and Identity • Not a guarantee of authenticity • Process needs to be simple for developers • W3C Widget Digital Signatures spec. • Combined with effective revocation or ‘kill-switches’ this can work well © OMTP All rights reserved Slide 14 Policy • Governs and regulates access to physical features • Remotely configurable and managed • Can be updated – intelligent and adaptable • Most devices have a binary go / no-go solution at present • Protects the user – potentially from themselves • Prompting doesn’t work • Users make bad decisions • People don’t read things • Automatic behaviour • Give them the chance to click ‘yes’ and they will • But: technology can’t always take a decision – user still has to bear responsibility for their own actions © OMTP All rights reserved Slide 15 Policy Example • BONDI provides a policy framework based on OASIS XACML • 3rd parties can provide policy for users • Operators, anti-virus vendors, consumer groups, charities etc.? • Human-readable, easy to create: <?xml version="1.0" encoding="us-ascii" ?> - <policy-set combine="deny-overrides" id="9a956cf4-2be8-4c2b-b9a6-7343e48efff6"> - <policy combine="first-applicable" id="3a701221-12cb-4ebe-981d-ee5a5dab76c7" description="permit sms if number in current country"> - <rule effect="permit"> - <condition> - <resource-match attr="param:number"> <environment-attr attr="country-code" /> * </resource-match> <resource-match attr="device-cap">messaging.sms.send</resource-match> </condition> </rule> - <rule effect="deny"> - <condition> <resource-match attr="device-cap">messaging.sms.send</resource-match> </condition> </rule> </policy> </policy-set> • Automated tools for policy creation © OMTP All rights reserved Slide 16 Architecture Web Widget Package Package Browser Web runtime Web engine JavaScript Events JavaScript Extension Errors Secure Access Policy Policy Management Dynamic API History API PIM Management Gallery Camera Location Messaging Persistence Phone Status Phone System Events System Comms User Interaction User Application Settings Application New API Application Invoke Application Operating Systems RTOSs © OMTP All rights reserved Slide 17 Summary Widgets are coming, be prepared! • Don’t: be afraid – the risks can be managed • Don’t: allow unrestricted access to device functions and APIs • Do: ensure your app stores are properly inspecting submitted widgets for malicious code • Do: use digital signatures • Do: use policy and encourage partners to work on this • Do: share information on incidents with other industry members © OMTP All rights reserved Slide 18 Thanks! Questions? © OMTP All rights reserved Slide 19 Appendix – Additional Information © OMTP All rights reserved Slide 20 More information follow us at “OMTP_BONDI” BONDI Group - http://www.linkedin.com/groups?gid=1784510 BONDI Group – http://www.facebook.com/home.php#/group.php?gid=59780786136 blog http://blog.omtpbondi.org http://bondi.omtp.org dev http://bondidev.omtp.org http://www.omtp.org © OMTP All rights reserved Slide 21 BONDI 1.1 Deliveries Final release Jan 2010 • Primary enhancement is the addition of System Event APIs notification API that can respond to device events Updated Reference • New Windows Mobile implementation Implementation implementing the updated features Compliance • Online Quality Assurance tools for the BONDI Reporting Compliance Test Suite. • Eclipse plug-in, and integrated help to aid Developer tools developers Security tools • Online signing tools to help widget packaging © OMTP All rights reserved Slide 22 BONDI 1.5 Deliveries Candidate release planned Mar 2010 Telephony API •Calls to initiate and handle telephony events Bluetooth API • Interacting with core Bluetooth features Sensors API • Developer APIs for accelerometer integration • Enhance existing APIs to allow BONDI to App launcher API interact with built in applications Widget Runtime Update • A set of requirements to define how and when a requirements Widget runtime can be updated Smart Card Web Server •Provide the ability for SCWS services to access BONDI APIs DLNA • APIs to interact with DLNA enabled devices Digital Living Network Alliance APDU access API • APIs to access SIM capabilities © OMTP All rights reserved Slide 23 BONDI 2.0 Deliveries Candidate release planned Sept 2010 Crypto APIs •APIs to grant access to security assets and functions Server Push API •Efficient mechanisms of server based notification Widget •Protocols and conventions to allow widgets to talk to one intercommunication another API Extensibility •Negotiation and delivery mechanisms for new APIs Connection Profile •Describing the characteristics of a connection for use in Definition APIs and policy Subscriber Identity API •An API for using SIM identity in applications Widget security •Requirements and APIs to make widgets fit for mission enhancements critical applications Policy Management •A discovery and provisioning protocol for security policies Protocol © OMTP All rights reserved Slide 24 W3C Specifications Widgets http://www.w3.org/2008/webapps/wiki/WidgetSpecs • Widgets 1.0: Packaging & Configuration (P&C) Device APIs and Policy (DAP) • Widgets 1.0: Digital Signatures http://www.w3.org/2009/dap/ • Widgets 1.0: Widget Interface • Widgets 1.0: Widget Access Requests Policy (WARP) • Security Policy Framework • Widgets 1.0: Widget URIs • APIs: • Widgets 1.0: Widget Updates • PIM (Contacts, Calendar, Tasks) • Widgets 1.0: View Modes Media Feature • Camera • Gallery • Messaging • System Information and Events Others • FileSystem http://www.w3.org/2008/webapps/wiki/Main_Page • Application Launcher • Application Configuration • Web Sockets API • Communications Log • Web Workers • User Interaction • Web Storage • File API HTML5 http://dev.w3.org/html5/spec/Overview.html Geolocation http://www.w3.org/2008/geolocation © OMTP All rights reserved Slide 25.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages25 Page
-
File Size-