Smartphone Platform Security - What can we learn from Symbian?
12
Franklin Heath Ltd Smartphone Platform Security What can we learn from Symbian? Craig Heath Independent Security Consultant 15 Jan 2015
-
Upload
craig-heath -
Category
Technology
-
view
208 -
download
1
Transcript of Smartphone Platform Security - What can we learn from Symbian?
Franklin Heath Ltd
Smartphone Platform Security What can we learn from Symbian? Craig Heath Independent Security Consultant
15 Jan 2015
© Franklin Heath Ltd c b CC BY 3.0
Discussion Points
Was Symbian OS platform security a success?
Did developer difficulties with platform security contribute to Symbian’s downfall?
Could those difficulties have been prevented?
Did Symbian’s platform security have anything better than today’s successful platforms?
15 Jan 2015 2
© Franklin Heath Ltd c b CC BY 3.0
Symbian OS Versions
15 Jan 2015 3
Without Platform Security Year Ver. UI Layer Typical Phone
2001 6.0 Series 80 Nokia 9210
2002 6.1
S60 1st Edition+FP1 Nokia 7650 MOAP(S) Fujitsu F2051
7.0 UIQ 2.0 (& 2.1) Sony Ericsson P800
2003 7.0S S60 2nd Edition+FP1 Nokia 6600
2004 8.0a S60 2nd Edition FP2 Nokia 6630
2005 8.1a S60 2nd Edition FP3 Nokia N90
2007 8.1b MOAP(S) Fujitsu F905i
With Platform Security Year Ver. UI Layer Typical Phone
2006 9.1 S60 3rd Edition Nokia 3250 UIQ 3.0 Sony Ericsson P990
2007 9.2 S60 3rd Edition FP1 Nokia N95 UIQ 3.1 & 3.2 Motorola Z8
2008 9.3 S60 3rd Edition FP2 Samsung i8510
9.4 S60 5th Edition Nokia 5800
2009 Nokia N97
2010 ^2 MOAP(S) Fujitsu F-07B ^3 S60 Nokia N8
2011 Anna S60 Nokia E6
© Franklin Heath Ltd c b CC BY 3.0
Symbian Platform Security Architecture
15 Jan 2015 4
Run-time controls on system and applications Based on long-established security principles
e.g. “Trusted Computing Base”, “Least Privilege” Designed for mobile device use cases
low-level, highly efficient implementation “Capabilities” determine process privileges
checked by APIs which offer security-relevant services “Data Caging” protects stored data
protected directories for system and for applications Secure identifiers (“SIDs”) for applications
verified at install-time
© Franklin Heath Ltd c b CC BY 3.0
Symbian OS New Malware Strains and Variants Per Month
15 Jan 2015 5
0
2
4
6
8
10
12
14
16
18
New Variant
First phones introduced with platform security
© Franklin Heath Ltd c b CC BY 3.0
Developer Difficulties
15 Jan 2015 6
Compatibility break Used as an excuse for fixing accumulated technical debt
Additional complexity SIDs, data caging, etc. “How do I know what capabilities I need?”
Difficulty of debugging “Why can’t you just turn the security off?”
Cost of approval and signing ...even though it was steadily reduced over time
Delays caused by approval and signing process Rejections were common
© Franklin Heath Ltd c b CC BY 3.0
Aside: Symbian OS C++
Same language and environment for apps as the OS (and/or UI) In principle allows third party developers to produce powerful apps ... but harder to work with in-progress documentation and finicky tools
Non-standard C++ “idioms” Descriptors, active objects, cleanup stack
ANSI exception handling came too late Technically good (vastly more power efficient) ... but steep learning curve
Alternatives were either too little (CDC Java, MIDP Java) ... or too late (PIPS, Qt)
15 Jan 2015 7
© Franklin Heath Ltd c b CC BY 3.0
Symbian Signed Capability Groups
15 Jan 2015 8
User Extended (System)
Extended (Restricted) Manufacturer
LocalServices Location NetworkServices ReadUserData UserEnvironment WriteUserData
PowerMgmt ProtServ ReadDeviceData SurroundingsDD SwEvent TrustedUI WriteDeviceData
CommDD DiskAdmin NetworkControl MultimediaDD
AllFiles DRM TCB
© Franklin Heath Ltd c b CC BY 3.0
Symbian Signed Capability Groups
15 Jan 2015 9
Group Additional
Capabilities Permitted
Unverified Verified with Publisher ID Unsigned
or Self-signed
Developer Certificate per IMEI(s)
Developer Certificate per IMEI(s)
Express Signed
Certified Signed
User 6 install-time user prompt
Yes Yes
Yes Yes Extended
(System) 7
Extended (Restricted) 4
Manufacturer 3 OEM approval
OEM approval
© Franklin Heath Ltd c b CC BY 3.0
Symbian Signed Costs
15 Jan 2015 10
2004, initially a branding / co-marketing programme All outsourced costs passed to publisher (could be over $1000 per app)
Most developers were their own publisher 2006, required for “non-user-grantable” platform security capabilities
Standardised testing, lowest price €195 Still required $395 publisher ID annually
2007, reduced costs but increased complexity Publisher IDs reduced to $200 “Express Signed” $20
subset of “extended” capabilities, self-testing with random auditing afterwards 2010, streamlined test criteria
Express Signed €10, Certified Signed €150 2010, Nokia pays for and performs signing for Ovi Store submissions
© Franklin Heath Ltd c b CC BY 3.0
What Could We Have Done Differently?
Needed more clout and/or money Google were able to ignore operator demands Apple were able to phase out DRM Apple were able to subsidise approval process
CA-issued publisher IDs were probably a mistake Self-signed works for Google Android Didn’t help us track down malicious actors
Robustness was pretty good User experience was pretty good
15 Jan 2015 11
© Franklin Heath Ltd c b CC BY 3.0
Discussion Points
Was Symbian OS platform security a success?
Did developer difficulties with platform security contribute to Symbian’s downfall?
Could those difficulties have been prevented?
Did Symbian’s platform security have anything better than today’s successful platforms?
15 Jan 2015 12
