1. Dr. Jens OberenderSRC Security Research & Consulting GmbHSmartphone applications Common Criteria is going MobileICCC2012 Paris

2. How to CC-evaluate smartphone apps?Agenda Specify Security Target TOE scope Application specific SFRs Assurance for Smartphone apps Insight Summary Common Criteria is going Mobile 2012 SRC Security Research & Consulting GmbH Page 2

3. Specify TOE scopeTOE security functions TOE Environment Data import Access control & isolation Key management Policy enforcement Encrypted storage Mobile device management Common Criteria is going Mobile 2012 SRC Security Research & Consulting GmbH Page 3

4. Security Functional RequirementsGeneric Smartphone AppSFR Smartphone AppFDP_RIP.2 Residual Information Protection Wipe residual data on app hibernationFDP_SDI.2 Stored Data Integrity Ensure authentic configurationFPT_TST TSF Self Test Detection of jail break and background appsFPT_ITC Inter-TSF trusted channel Mutual assured identificationFTA_SSL.3 TSF-initiated termination Inactivity wipes user authenticationFTP_TRP Trusted Path Key negotiation for secure transport Audit/log performed by mobile device management Common Criteria is going Mobile 2012 SRC Security Research & Consulting GmbH Page 4

5. Security Assurance RequirementsSmartphone App Fields of InterestSAR Notes for Smartphone AppAGD_PRE Authentic app market download Allow for determined set of component interfacesAGD_OPE Certificate chain validationALC Secure rollout and destruction Crypto provider API versioningADV_TDS Control flow, data flow for actions and forms Signed app authenticity & trust Remote wipe by mobile device management Security Awareness through Smartphone-CERT Common Criteria is going Mobile 2012 SRC Security Research & Consulting GmbH Page 5

6. Security ArchitectureEvaluation of ADV_ARCSAR Notes for Smartphone AppADV_ARC Secure startup platform settings Self-protection between hibernate and startup Non-bypassability configuration authenticity Set app permissions sparsely Regulate information flow with permissions Enforce interaction policy during runtime, e.g. caller version and configuration on IPC Common Criteria is going Mobile 2012 SRC Security Research & Consulting GmbH Page 6

7. Vulnerability AnalysisTest and PenetrateSAR Notes for Smartphone AppATE_IND Validation of interface data Issues with hibernationAVA Address Space Layout Randomization Platform key chain mechanism Entropy in key derivation Strong base passwords necessary Appropriate data protection classes Relevance of Mass Infections (cf. chipcard domain) Required skills for exploitation phase Specific efforts & costs of performing attacks Common Criteria is going Mobile 2012 SRC Security Research & Consulting GmbH Page 7

8. Insight SummaryCommon Criteria is going Mobile Common Criteria approach well-suited for evaluation Identified app-specific requirements Demand for Smartphone-CERT Operation policies supplement platform measures App mass infections prevented by market countermeasures Achievable! CC-Evaluation TOE scope limited High-value targets: strict separation (eg. HASK-PP from 2008) Enterprise policy oriented (Mobile Device PP draft) Common Criteria is going Mobile 2012 SRC Security Research & Consulting GmbH Page 8

9. References 1/2http://www.enisa.europa.eu/activities/application-security/smartphone-security-1https://www.owasp.org/index.php/OWASP_Mobile_Security_Projecthttp://www.malgenomeproject.org/K. Wain Yee Au, et. al. A Look at SmartPhone Permission Models, SPSM, 2011.A. Alkassar, et. al. Sicherheitskern fr Smartphones: Anstze und Lsungen, DuD,2012.D. Barerra. Secure Software Installation on Smartphones, S&P, 2011.M. Becher: Security of Smartphones at the Dawn of their Ubiquitousness. PhDThesis (in German), University of Mannheim, 2009.B. Dodson, et. al. Secure, Consumer-Friendly Web Authentication and Paymentswith a Phone. MobiCASE, 2010.W. Enck. Defending Users Against Smartphone Apps: Techniques and FutureDirections, ICISS, 2011.W. Enck. Understanding Android Security, S&P, 2009.M. Grace, et. al. Systematic Detection of Capability Leaks in Stock AndroidSmartphones, NDSS 2012, 2012. Common Criteria is going Mobile 2012 SRC Security Research & Consulting GmbH Page 9

10. References 2/2S. Hallsteinsen, I. Jorstad, and D. Van Thanh. Using the mobile phone as a securitytoken for unified authentication. ICSNC, 2007.D. Kleidermacher. Bringing Security to Android-based Devices. Information Quaterly,issue 32.C. R. Mulliner: Security of Smart Phones, Master Thesis, UCL, 2006.M. Ongtang, et. al. Semantically Rich Application-Centric Security in Android,ACSAC, 2009.S. Schrittwieser, et. al. Guess Whos Texting You? Evaluating the Security ofSmartphone Messaging Applications, NDSS, 2011.A. Shabtai, et. al. Google Android: A State-of-the-Art Review of SecurityMechanisms, CoRR Dagstuhl, 2009.A. Porter Felt, et. al. Android Permissions Demystified, CCS, 2011.A. Porter Felt, et. al. The Effectiveness of Application Permissions, USENIX, 2011.D. Wallach: Smartphone Security: Trends and Predictions. SecAppDev 2011Y. Zhou, X. Jiang. Dissecting Android Malware: Characterization and Evolution, P&S,2012 Common Criteria is going Mobile 2012 SRC Security Research & Consulting GmbH Page 10

11. Thank You! Dr. Jens Oberender SRC - Security Research & Consulting GmbH Graurheindorfer Str. 149a 53117 Bonn Germany phone +49-228-2806-182 | -0 fax: +49-228-2806-199 E-mail: jens.oberender@src-gmbh.de WWW: www.src-gmbh.de www.src-gmbh.de/download.html Common Criteria is going Mobile 2012 SRC Security Research & Consulting GmbH Page 11