Security concepts and Threat Modeling for Mobile Applications

Traditionally, the mobiles were just used for voice communication. Currently it has transformed in to a tool for end to end information exchange. Where ever there is exchange of information there are chances of information leakage, spoofing and all sorts of hacking.

People think that the phrase “Secured Mobile Application” as an oxymoron. Many mobile app developers least think about the security of their applications and give much emphasis to jazzy UI and funky features.

Though the security features for mobile application is same as a desktop app, the security risks and security considerations vary somewhat because of mobile hardware and nature of the mobile usage.

Security considerations for a Win Mobile based mobile application

Preventing Data theft

Most of the mobile apps store the user related data on the device. It can be password or any user preferences etc. These data should be secured on the device.

Data can be stolen in many ways. Below are a few examples of the way data theft happens.

• Hacking: This is by far the most common way of stealing data with least chances of getting caught. A hacker gets into a system where he or she is not supposed to be, and steals whatever data was aimed at. Hackers find their gate way through gaps in the security system or by hoodwinking gullible employees / surfers in order to gain access to a system.
• Posing: Appearances can be deceiving. The attractive website that has popped up offering you a great holiday treat may actually be a data thief trying to get into your system under the mask of a piece of harmless spam.
• Remote Access: Does the indicator show that a program is running even when you are not working on anything and have no windows open? Do not ignore the symptoms; a data thief is already sitting in your computer. Remote access allows the thief to gain control of your machine from wherever he or she is and operate it, steal data from it, and even distribute virus from it!
• Spyware: Spyware is often brought in by adware. The thief may not sit in your system, but your key strokes or mouse clicks would be spied upon, revealing what you are doing and reading the data as you put it in. And you have opened the gate by clicking on an innocent looking ad.
• Podslurping: Music is now stored in iPods for almost all domestic users. You would usually not suspect an employee rocking to music while working as usual. The thief knows this and is using the iPod to obtain data outputs from the computer where it is plugged in.
• Bluesnarfing: Bluetooth devices have become popular in a very short while. Using his or her Bluetooth-enabled cell phone or laptop, the data thief lifts data from a restricted computer in silence and mostly unnoticed.

Microsoft SQL Server Compact (SQL CE) is a compact relational database produced by Microsoft for applications that run on mobile devices and desktops. Most of the win mobile apps store data on this DB. The SQL CE databases should be encrypted and every application should have a login to provide security to the data. By this we can configure the application to wipe out the data after considerable amount of attempted failed logins.

If the data of the application is stored on the storage card then it has to be ensured that the data is encrypted as these storages are easily removable and readable.

Use of Cryptography

Cryptography basically refers to practice and study of hiding information. Before we analyze the application of cryptography on mobile we need to understand the concepts of cryptography in detail.

Cryptography can be defined as the conversion of data into a scrambled code that can be deciphered and sent across a public or private network. Cryptography uses two main styles or forms of encrypting data; symmetrical and asymmetrical. Symmetric encryptions, or algorithms, use the same key for encryption as they do for decryption. Other names for this type of encryption are secret-key, shared-key, and private-key. The encryption key can be loosely related to the decryption key; it does not necessarily need to be an exact copy.

Symmetric cryptography is susceptible to plain text attacks and linear cryptanalysis meaning that they are hackable and at times simple to decode. With careful planning of the coding and functions of the cryptographic process these threats can be greatly reduced. Asymmetric cryptography uses different encryption keys for encryption and decryption. In this case an end user on a network, public or private, has a pair of keys; one for encryption and one for decryption. These keys are labeled or known as a public and a private key; in this instance the private key cannot be derived from the public key. The asymmetrical cryptography method has been proven to be secure against computationally limited intruders.

Windows Mobile provides a range of symmetric and asymmetric encryption algorithms with the implementation of CAPI – Cryptography Application Programming Interface. In addition, the Microsoft .NET Compact Framework 2.0 has managed classes that are in line with the desktop framework classes and provides simple access to the crypto library.

The processing power of a mobile device is significantly less compared to that of a desktop device. The CPU strain of processing the cryptographic algorithms has to be considered while designing a mobile application. Asymmetric algorithms can take a significant amount of CPU effort to process and can slow the device noticeably. When we use the asymmetric algorithm the amount of data that needs to be safeguarded should be kept minimal and we need to decrypt the data only when it is necessary. We can use a symmetric key to decrypt a bulk data and use asymmetric key to encrypt the symmetric key. This will have lesser strain on mobile processor and have positive impact on the battery life.

Key management

As explained above the main ingredient of the cryptography is a key. In cryptography, a key is described as a piece of information (a parameter) that determines the functional output of a cryptographic algorithm or cipher. The keys used for encryption and decryption should be stored somewhere on the device that is accessible to mobile applications. The process of storing the key securely on the device is referred to as – “Key Management”.

Key management brings its own challenges regardless of platform, but mobile device key management can become an acute problem. Windows Mobile doesn’t offer a machine or user protected store for key management in the same way as the desktop operating systems do, so storage of keys on the Windows Mobile powered device is tricky. Storing the master key in code or on a file on the store is rarely an acceptable solution because Windows Mobile does not implement object level security; therefore files cannot be individually restricted from external access by other processes or via a technology like Active Sync. The easiest and safest way to deal with a master key is to give it to the user and remove the problem from the device – that means deriving the master key from a user password at the perimeter of the device or at the perimeter of the mobile application.

References – Microsoft Technet

Security features of an IPhone app

Sandboxing and Mandatory Access control Framework

In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target. In practice, a subject is usually a process or thread; objects are constructs such as files, directories, TCP/UDP ports, shared memory segments, etc. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, an authorization rule enforced by the operating system kernel examines these security attributes and decides whether the access can take place. Any operation by any subject on any object will be tested against the set of authorization rules (aka policy) to determine if the operation is allowed.

On the similar lines a sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers and untrusted users. The sandbox typically provides a tightly-controlled set of resources for guest programs to run in, such as scratch space on disk and memory.

Some examples of sandboxes are:

• Applets are self-contained programs that run in a virtual machine or scripting language interpreter that does the sandboxing.
• A jail is a set of resource limits imposed on programs by the operating system kernel
• Rule-based Execution gives users full control over what processes are started, spawned (by other applications), or allowed to inject code into other apps and have access to the net.
• Virtual machines emulate a complete host computer, on which a conventional operating system may boot and run as on actual hardware
• Capability systems can be thought of as a fine-grained sandboxing mechanism, in which programs are given opaque tokens when spawned and have the ability to do specific things based on what tokens they hold. An example of capability-based user-level sandboxing would be HTML rendering in Google Chrome.

Sandboxing provides fine-grained control of the ability of processes to access system resources. This feature is to arrest the “Buffer overflow” security threat. Buffer overflow refers to a security lapse where a program does not validate its input and accepts more data than can fit in the memory allocated to that program. The data then overwrites memory owned by the system or by some other program. All the applications installed on the IPhone will be sandboxed before installation on IPhone.

Cryptography

The MAC OS provides “CSSM” - Cryptographic Services Manager to implement cryptography which is not supported by IPhone OS. Most of the cryptographic functions are provided by the Certificate, Key, and Trust Services API. Certificate, Key, and Trust Services operates on certificates that conform to the X.509 ITU standard, uses the keychain for storage and retrieval of certificates and keys, and uses the trust policies provided by Apple.

Code Signing

Developers are expected to add a digital signature to their apps without fail and this is mandatory for an IPhone app. In addition, Apple adds its own signature before distributing an IPhone OS application. The addition of a digital signature to an application or block of code is often referred to as code signing.

Code signing ensures the integrity of the program and allows the system to recognize updated versions as the same program as the original. Once a program is signed, any change in the code not intended by the developer—whether introduced accidently or by hackers—can be detected by the system. On iPhone an application that hasn’t been signed by Apple will not get executed.

References – Apple Developer Reference Library

Security and threat modeling is a vast arena and I have covered only few important concepts here. I will explain the other security concepts available for win mobile, IPhone app and even for other mobile operating systems in my future blogs. Mobile apps security is mandatory if you want to gain the trust of the customers and the end users of the app. The mobile app should safe guard the user data and the mobile app itself should not become an entry point for malicious code on their devices. If you haven’t yet thought about security for your mobile application, this is the time to start….