Embed Size (px)
Citation preview
Writing Secure Mobile Writing Secure Mobile Applications for Windows Applications for Windows Mobile Pocket PCs and Mobile Pocket PCs and SmartphonesSmartphones
Marcus PerrymanMarcus Perryman
““Building secure software Building secure software is now critical to protecting is now critical to protecting our future, and every our future, and every software developer must software developer must learn how to integrate learn how to integrate security into all projects”security into all projects”
Writing Secure Code 2Writing Secure Code 2Michael Howard, David LeBlancMichael Howard, David LeBlanc
AgendaAgenda The Security StoryThe Security Story
Mobile device security Mobile device security
Practical use of securityPractical use of security Perimeter securityPerimeter security Data Transmission Data Transmission Data StorageData Storage
FuturesFutures Multi Logon sessionsMulti Logon sessions Managed classes for Crypto accessManaged classes for Crypto access
SummarySummary
The Security StoryThe Security Story Secure code is Secure code is designeddesigned to withstand to withstand
malicious attack.malicious attack. Design to be secure, not a bolt on.Design to be secure, not a bolt on.
Trustworthy Computing Trustworthy Computing ““Helping ensure a safe and reliable Helping ensure a safe and reliable
computing experience that is both computing experience that is both expected and taken for granted.“expected and taken for granted.“
SecuritySecurity - Resilient to attack- Resilient to attack PrivacyPrivacy - Controlling data access- Controlling data access ReliabilityReliability - Dependable systems- Dependable systems Business IntegrityBusiness Integrity
Enterprise ImplicationsEnterprise Implications
Tiered Enterprise Application Data Source
Private IF Public IF Mobile IF
Customer / User
Call Centre
Worker
Delivery
Authorisation.Secure Data TransferProtection from attack
Authorisation.Secure Data TransferProtection from attack
Authorisation.Secure Data TransferProtection from attack
Authorisation.Secure Data TransferProtection from attack
Loss of Device?
Security – General ApproachSecurity – General Approach Security vs Usability trade-offSecurity vs Usability trade-off Decide where to secureDecide where to secure
Target most important areasTarget most important areas Match security to riskMatch security to risk
Risk analysis as part of system designRisk analysis as part of system design Consider areas most at risk / highest Consider areas most at risk / highest
impactimpact Probability * Impact = RiskProbability * Impact = Risk List mitigations to reduce impact or List mitigations to reduce impact or
probabilityprobability Track risk through project (it changes!)Track risk through project (it changes!)
Risk AnalysisRisk AnalysisThreatThreat ProbProb ImpImp RiskRisk
Unauthorised user steals or acquires deviceUnauthorised user steals or acquires device MedMed HighHigh HighHigh
Unauthorised user gains access to local data held on Unauthorised user gains access to local data held on devicedevice
MedMed HighHigh HighHigh
Unauthorised user gains access to network, via deviceUnauthorised user gains access to network, via deviceUnauthorised user gains access to backend Unauthorised user gains access to backend data/systems, via devicedata/systems, via device
MedMed HighHigh HighHigh
Trusted user uses device for unapproved purposesTrusted user uses device for unapproved purposes MedMed LowLow LowLow
Trusted user exports data or synchronises with Trusted user exports data or synchronises with unapproved systemunapproved system
LowLow HighHigh MedMed
……
Device Specific SecurityDevice Specific Security
Password Protection /
Data Encryption
Application1
Application2
Windows CE OS
SQL CE
Perimeter Security
File System Filter
Object Store
Object Store
CAPILibraries
OEM Security Layer
Practical use of securityPractical use of security
Device SecurityDevice Security Devices today are NOT Secure by Devices today are NOT Secure by
DefaultDefault PC’s today are improving (i.e. Win2003)PC’s today are improving (i.e. Win2003)
Where to put security?Where to put security? Secure at perimeterSecure at perimeter Secure data storageSecure data storage Data Transmission privacyData Transmission privacy Secure at the service levelSecure at the service level
Device Security (Cont…)Device Security (Cont…) Advice:Advice:
Don’t make your own security algorithm!Don’t make your own security algorithm! Adjust security vs usabilityAdjust security vs usability Care when storing secretsCare when storing secrets Don’t transmit secrets!Don’t transmit secrets!
Sign CodeSign Code
App 1 App 2
App 3
UK Police Mobile SolutionUK Police Mobile Solution Vision: To put 100 additional officers Vision: To put 100 additional officers
back on the beat in the next 12 months.back on the beat in the next 12 months. Provide mobile solution for office Provide mobile solution for office
based applications: Police National based applications: Police National Computer search, Name Address Computer search, Name Address search, Firearms register etc.search, Firearms register etc.
Risk analysis highlighted data privacy.Risk analysis highlighted data privacy. Transferring confidential information over Transferring confidential information over
GPRSGPRS Storing confidential information on mobile Storing confidential information on mobile
device.device. Smart Client solution chosen for Smart Client solution chosen for
disconnected workingdisconnected working
SmartBeatApplication(n-tier SOA)
Solution Design:Solution Design:
Data Source
KeyData
RADIUSRSA
Fir
ew
all
Fir
ew
all
S&F
Req/RespStore
RSA DialCode
Input/DisplayScreen
Choose A Key. Choose A Key. Encrypt DataEncrypt Data
KeyData
ServerServerDeviceDevice
User User KeyKey
DataData
DataData
DataData
Police SolutionPolice Solution
Power On PasswordPower On Password Replace the inbuilt password for Pocket PC:Replace the inbuilt password for Pocket PC:LPTSTR PromptForPasswd(HWND,BOOL)LPTSTR PromptForPasswd(HWND,BOOL)LONG CALLBACK CPlApplet(HWND,UINT,LONG,LONG)LONG CALLBACK CPlApplet(HWND,UINT,LONG,LONG) Update the Registry:Update the Registry:HKLM\controlpanel\passwordHKLM\controlpanel\password
Redirect = \windows\password.cplRedirect = \windows\password.cpl Call device password API’sCall device password API’sBOOL CheckPassword(PasswordText);BOOL CheckPassword(PasswordText);BOOL SetPassword( OldPwd, NewPwd);BOOL SetPassword( OldPwd, NewPwd);SetPasswordActive( TRUE, PasswordText);SetPasswordActive( TRUE, PasswordText); Challenges:Challenges:
Device implementations do differDevice implementations do differ Work with your device vendorWork with your device vendor
Pocket PC 2000 requires password.cplPocket PC 2000 requires password.cpl Use this name for backward compatibilityUse this name for backward compatibility
Power On PasswordPower On Password Benefits:Benefits:
Finer control of password complexityFiner control of password complexity Force password ONForce password ON Generate access key (don’t store Generate access key (don’t store
secrets!)secrets!) Store protection – SQLCE / File System FilterStore protection – SQLCE / File System Filter Server Authentication / AuthorizationServer Authentication / Authorization
Destroy private data on password failDestroy private data on password faili.e. 5 strikes and out!i.e. 5 strikes and out!
Device State managementDevice State management Start applications / check install stateStart applications / check install state
Power On PasswordPower On Password
WiFi / GPRSWiFi / GPRS IrDAIrDABluetoothBluetooth
Active SyncActive Sync
Other Perimeter RestrictionsOther Perimeter Restrictions
General Principal:General Principal: HKLM\Drivers\BuiltIn\<Hardware Driver>HKLM\Drivers\BuiltIn\<Hardware Driver>
Controlling Removable MediaControlling Removable Media Disable SD Card: HKLM\Drivers\Builtin\SDBusDriverDisable SD Card: HKLM\Drivers\Builtin\SDBusDriver Disable CF Card: HKLM\Drivers\BuiltIn\PCMCIADisable CF Card: HKLM\Drivers\BuiltIn\PCMCIA Restrict via File System Filter or 3Restrict via File System Filter or 3rdrd party tools party tools
Disable Bluetooth – OEM specificDisable Bluetooth – OEM specific HKLM\Drivers\BuiltIn\ASIC5_BTUR (for XDA II)HKLM\Drivers\BuiltIn\ASIC5_BTUR (for XDA II)
Disable IrDADisable IrDA HKLM\Comm\AFD\Stack – remove irdastkHKLM\Comm\AFD\Stack – remove irdastk
Active SyncActive Sync Machine generated passwordMachine generated password
Locking Down the DeviceLocking Down the Device
Data TransmissionData Transmission Windows Mobile 2003 Certificate StoreWindows Mobile 2003 Certificate Store
Enables many more device scenariosEnables many more device scenarios
Using SLL (HTTPS)Using SLL (HTTPS) SSL 2.0 / 3.0, SGCSSL 2.0 / 3.0, SGC
PPP (RAS), 802.1xPPP (RAS), 802.1x EAP, EAP-TLS, PEAP, LEAP supportEAP, EAP-TLS, PEAP, LEAP support
Virtual Private NetworkVirtual Private Network PPTP and L2TP/IPSec supportPPTP and L2TP/IPSec support
On Device Data ProtectionOn Device Data Protection
SQL CESQL CE Password protection per database (file Password protection per database (file
store)store) 128 bit encryption of the store128 bit encryption of the store
33rdrd party protected store applications party protected store applications Roll your ownRoll your own
File System FilterFile System Filter Application based store securityApplication based store security
Vodafone Media TrialVodafone Media Trial
Vision: Research for consumption of Vision: Research for consumption of video media on mobile device.video media on mobile device.
Provide mobile device with media on Provide mobile device with media on SD Card. Daily video’s displayed in SD Card. Daily video’s displayed in sequence with questionnaire. sequence with questionnaire.
Risk analysis highlighted data privacy.Risk analysis highlighted data privacy. Video contents copyright, needed basic Video contents copyright, needed basic
protection – DRM ideal solution!protection – DRM ideal solution!
Windows Media Player solution Windows Media Player solution required for timescales.required for timescales.
`̀
Solution ArchitectureSolution Architecture
MediaMediaDataData
MediaMediaDataData
File System FilterFile System Filter
DeviceDevice
UniqueUniqueDevice IDDevice ID
File System FilterFile System Filter
Filter layer above file systemFilter layer above file system Hooks all high level store access API’sHooks all high level store access API’s
CreateFile, ReadFile, WriteFile, CreateFile, ReadFile, WriteFile, CloseHandleCloseHandle
FindFirstFile, FindNextFileFindFirstFile, FindNextFile
Chained filter system via registry keyChained filter system via registry keyHKLM\System\StorageManager\FATFS\filters\VodaFilter HKLM\System\StorageManager\FATFS\filters\VodaFilter
"Dll" = “VodaFilter.dll" "Dll" = “VodaFilter.dll"
Order = 0Order = 0
File System Filter SolutionFile System Filter Solution
Application Store ProtectionApplication Store Protection
CAPI Library capabilitiesCAPI Library capabilities Microsoft CSP supports: Microsoft CSP supports:
MD2, MD5, SHA, SHA1, MAC, HMAC, MD2, MD5, SHA, SHA1, MAC, HMAC, SSL3_SHAMD5, RC2, RC4, RSA_SIGN, SSL3_SHAMD5, RC2, RC4, RSA_SIGN, RSA_KEYXRSA_KEYX
Creating a keyCreating a keyCryptAcquireContext()CryptAcquireContext()
CryptCreateHash(hProv, CALG_MD5, 0, 0, &hHash)CryptCreateHash(hProv, CALG_MD5, 0, 0, &hHash)
CryptHashData(hHash, (BYTE *)data, (uint)Size, 0)CryptHashData(hHash, (BYTE *)data, (uint)Size, 0)
CryptDeriveKey(hProv, CALG_RC2, hHash, CryptDeriveKey(hProv, CALG_RC2, hHash, CRYPT_EXPORTABLE, &hKey)CRYPT_EXPORTABLE, &hKey)
Application Store Application Store ProtectionProtection Encrypting dataEncrypting dataCryptEncrypt(hKey,NULL,TRUE,0, Buffer, CryptEncrypt(hKey,NULL,TRUE,0, Buffer,
&BytesRead,MAX_BUFFER)&BytesRead,MAX_BUFFER)
Decrypting dataDecrypting dataCryptDecrypt(hKey,NULL, TRUE,0, Buffer, &BytesRead)CryptDecrypt(hKey,NULL, TRUE,0, Buffer, &BytesRead)
Other ConsiderationsOther Considerations
Reduce the attack surface of the device:Reduce the attack surface of the device: Failed login? Remove sensitive data.Failed login? Remove sensitive data. Time-out data.Time-out data.
Transferring secret dataTransferring secret data Never send as readable – use a secure channelNever send as readable – use a secure channel Consider sending a token insteadConsider sending a token instead Keep the secret – use a callbackKeep the secret – use a callback
Keeping track of date and timeKeeping track of date and time SNTP support only in Windows CE .NETSNTP support only in Windows CE .NET Several Examples of SNTP code on the web.Several Examples of SNTP code on the web.
Signature
Smartphone Application Smartphone Application SecuritySecurity
Windows CE OS
Application1
App. Loader
OEM SecurityLayer
Certificate Store
Privileged Un- Privileged
DeviceSecurityPolicy
OpenSigned Req. Trusted Req.
FuturesFuturesNear Future:Near Future: Hardware innovationsHardware innovations
Biometric solutionsBiometric solutions Smartcard ReadersSmartcard Readers
Managed classes for Crypto accessManaged classes for Crypto access Compact Framework V2Compact Framework V2
Open Mobile Alliance (OMA)Open Mobile Alliance (OMA) DRM DRM Ringtones, Images, Branding etcRingtones, Images, Branding etc
Further ahead:Further ahead: Multi Logon sessions (Macallan)Multi Logon sessions (Macallan)
SummarySummary
““Building secure software is now critical to Building secure software is now critical to protecting our future, and every protecting our future, and every software developer must learn how to software developer must learn how to integrate security into all projects”integrate security into all projects”
Windows Mobile 2003 provides a rich Windows Mobile 2003 provides a rich suite of tools to help secure you suite of tools to help secure you application.application.
© 2003-2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
