SlideShare una empresa de Scribd logo

Smartphone Applications - Common Criteria is going Mobile

Jens Oberender
Jens Oberender

Smartphones are a growing, fast moving field of IT. Although smartphones and their applications are omnipresent and potentially violating security, its development cycle is not yet tackled by application evaluation thoroughly. International Common Criteria Conference, Paris, France. September 18-20, 2012.

Tecnología
1 de 11
Descargar para leer sin conexión
Dr. Jens Oberender SRC Security Research & Consulting GmbH Smartphone applications – Common Criteria is going Mobile ICCC2012 Paris
How to CC-evaluate smartphone apps? Agenda Specify Security Target TOE scope Application specific SFRs Assurance for Smartphone apps Insight Summary Common Criteria is going Mobile 2012 © SRC Security Research & Consulting GmbH Page 2
Specify TOE scope TOE security functions TOE Environment Data import Access control & isolation Key management Policy enforcement Encrypted storage Mobile device management Common Criteria is going Mobile 2012 © SRC Security Research & Consulting GmbH Page 3
Security Functional Requirements Generic Smartphone App SFR Smartphone App FDP_RIP.2 Residual Information Protection Wipe residual data on app hibernation FDP_SDI.2 Stored Data Integrity Ensure authentic configuration FPT_TST TSF Self Test Detection of jail break and background apps FPT_ITC Inter-TSF trusted channel Mutual assured identification FTA_SSL.3 TSF-initiated termination Inactivity wipes user authentication FTP_TRP Trusted Path Key negotiation for secure transport Audit/log performed by mobile device management Common Criteria is going Mobile 2012 © SRC Security Research & Consulting GmbH Page 4
Security Assurance Requirements Smartphone App Fields of Interest SAR Notes for Smartphone App AGD_PRE Authentic app market download Allow for determined set of component interfaces AGD_OPE Certificate chain validation ALC Secure rollout and destruction Crypto provider API versioning ADV_TDS Control flow, data flow for actions and forms Signed app ≠ authenticity & trust Remote wipe by mobile device management Security Awareness through Smartphone-CERT Common Criteria is going Mobile 2012 © SRC Security Research & Consulting GmbH Page 5
Security Architecture Evaluation of ADV_ARC SAR Notes for Smartphone App ADV_ARC Secure startup platform settings Self-protection between hibernate and startup Non-bypassability configuration authenticity Set app permissions sparsely Regulate information flow with permissions Enforce interaction policy during runtime, e.g. caller version and configuration on IPC Common Criteria is going Mobile 2012 © SRC Security Research & Consulting GmbH Page 6
Vulnerability Analysis Test and Penetrate SAR Notes for Smartphone App ATE_IND Validation of interface data Issues with hibernation AVA Address Space Layout Randomization Platform key chain mechanism Entropy in key derivation Strong base passwords necessary Appropriate data protection classes Relevance of Mass Infections (cf. chipcard domain) Required skills for exploitation phase Specific efforts & costs of performing attacks Common Criteria is going Mobile 2012 © SRC Security Research & Consulting GmbH Page 7
Insight Summary Common Criteria is going Mobile Common Criteria approach well-suited for evaluation Identified app-specific requirements Demand for Smartphone-CERT Operation policies supplement platform measures App mass infections prevented by market countermeasures Achievable! CC-Evaluation TOE scope limited High-value targets: strict separation (eg. HASK-PP from 2008) Enterprise policy oriented (Mobile Device PP draft) Common Criteria is going Mobile 2012 © SRC Security Research & Consulting GmbH Page 8
References 1/2 http://www.enisa.europa.eu/activities/application-security/smartphone-security-1 https://www.owasp.org/index.php/OWASP_Mobile_Security_Project http://www.malgenomeproject.org/ K. Wain Yee Au, et. al. A Look at SmartPhone Permission Models, SPSM, 2011. A. Alkassar, et. al. Sicherheitskern€ für Smartphones: Ansätze und Lösungen, DuD, 2012. D. Barerra. Secure Software Installation on Smartphones, S&P, 2011. M. Becher: Security of Smartphones at the Dawn of their Ubiquitousness. PhD Thesis (in German), University of Mannheim, 2009. B. Dodson, et. al. Secure, Consumer-Friendly Web Authentication and Payments with a Phone. MobiCASE, 2010. W. Enck. Defending Users Against Smartphone Apps: Techniques and Future Directions, ICISS, 2011. W. Enck. Understanding Android Security, S&P, 2009. M. Grace, et. al. Systematic Detection of Capability Leaks in Stock Android Smartphones, NDSS 2012, 2012. Common Criteria is going Mobile 2012 © SRC Security Research & Consulting GmbH Page 9
References 2/2 S. Hallsteinsen, I. Jorstad, and D. Van Thanh. Using the mobile phone as a security token for unified authentication. ICSNC, 2007. D. Kleidermacher. Bringing Security to Android-based Devices. Information Quaterly, issue 32. C. R. Mulliner: Security of Smart Phones, Master Thesis, UCL, 2006. M. Ongtang, et. al. Semantically Rich Application-Centric Security in Android, ACSAC, 2009. S. Schrittwieser, et. al. Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications, NDSS, 2011. A. Shabtai, et. al. Google Android: A State-of-the-Art Review of Security Mechanisms, CoRR Dagstuhl, 2009. A. Porter Felt, et. al. Android Permissions Demystified, CCS, 2011. A. Porter Felt, et. al. The Effectiveness of Application Permissions, USENIX, 2011. D. Wallach: Smartphone Security: Trends and Predictions. SecAppDev 2011 Y. Zhou, X. Jiang. Dissecting Android Malware: Characterization and Evolution, P&S, 2012 Common Criteria is going Mobile 2012 © SRC Security Research & Consulting GmbH Page 10
Thank You! Dr. Jens Oberender SRC - Security Research & Consulting GmbH Graurheindorfer Str. 149a 53117 Bonn Germany phone +49-228-2806-182 | -0 fax: +49-228-2806-199 E-mail: jens.oberender@src-gmbh.de WWW: www.src-gmbh.de www.src-gmbh.de/download.html Common Criteria is going Mobile 2012 © SRC Security Research & Consulting GmbH Page 11

Recomendados

Common Criteria and a Mutually-Recognized International Cryptographic Standard
Common Criteria and a Mutually-Recognized International Cryptographic StandardCommon Criteria and a Mutually-Recognized International Cryptographic Standard
Common Criteria and a Mutually-Recognized International Cryptographic StandardAmy Nicewick, CISSP, CCSP, CEH
 
Verification of IVI Over-The-Air using UML/OCL
Verification of IVI Over-The-Air using UML/OCLVerification of IVI Over-The-Air using UML/OCL
Verification of IVI Over-The-Air using UML/OCLSeungjoo Kim
 
The Present and Future of IoT Cybersecurity
The Present and Future of IoT CybersecurityThe Present and Future of IoT Cybersecurity
The Present and Future of IoT CybersecurityOnward Security
 
High dependability of the automated systems
High dependability of the automated systemsHigh dependability of the automated systems
High dependability of the automated systemsAlan Tatourian
 
iViZ Profile
iViZ ProfileiViZ Profile
iViZ ProfileiViZ Security
 
Assurance-Level Driven Method for Integrating Security into SDLC Process
Assurance-Level Driven Method for Integrating Security into SDLC ProcessAssurance-Level Driven Method for Integrating Security into SDLC Process
Assurance-Level Driven Method for Integrating Security into SDLC ProcessSeungjoo Kim
 
Android Secure Coding
Android Secure CodingAndroid Secure Coding
Android Secure CodingJPCERT Coordination Center
 
NGFW RFP TEMPLATE - TEST PLAN
NGFW RFP TEMPLATE - TEST PLANNGFW RFP TEMPLATE - TEST PLAN
NGFW RFP TEMPLATE - TEST PLANMoti Sagey מוטי שגיא
 

Recomendados

Common Criteria and a Mutually-Recognized International Cryptographic Standard
Common Criteria and a Mutually-Recognized International Cryptographic StandardCommon Criteria and a Mutually-Recognized International Cryptographic Standard
Common Criteria and a Mutually-Recognized International Cryptographic StandardAmy Nicewick, CISSP, CCSP, CEH
 
Verification of IVI Over-The-Air using UML/OCL
Verification of IVI Over-The-Air using UML/OCLVerification of IVI Over-The-Air using UML/OCL
Verification of IVI Over-The-Air using UML/OCLSeungjoo Kim
 
The Present and Future of IoT Cybersecurity
The Present and Future of IoT CybersecurityThe Present and Future of IoT Cybersecurity
The Present and Future of IoT CybersecurityOnward Security
 
High dependability of the automated systems
High dependability of the automated systemsHigh dependability of the automated systems
High dependability of the automated systemsAlan Tatourian
 
iViZ Profile
iViZ ProfileiViZ Profile
iViZ ProfileiViZ Security
 
Assurance-Level Driven Method for Integrating Security into SDLC Process
Assurance-Level Driven Method for Integrating Security into SDLC ProcessAssurance-Level Driven Method for Integrating Security into SDLC Process
Assurance-Level Driven Method for Integrating Security into SDLC ProcessSeungjoo Kim
 
Android Secure Coding
Android Secure CodingAndroid Secure Coding
Android Secure CodingJPCERT Coordination Center
 
NGFW RFP TEMPLATE - TEST PLAN
NGFW RFP TEMPLATE - TEST PLANNGFW RFP TEMPLATE - TEST PLAN
NGFW RFP TEMPLATE - TEST PLANMoti Sagey מוטי שגיא
 
SANS ICS Security Survey Report 2016
SANS ICS Security Survey Report 2016 SANS ICS Security Survey Report 2016
SANS ICS Security Survey Report 2016 Derek Harp
 
I Vi Z Profile
I Vi Z ProfileI Vi Z Profile
I Vi Z Profilekhushboo
 
Security Architecture for Cyber Physical Systems
Security Architecture for Cyber Physical SystemsSecurity Architecture for Cyber Physical Systems
Security Architecture for Cyber Physical SystemsAlan Tatourian
 
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...Seungjoo Kim
 
Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleSynopsys Software Integrity Group
 
Mind the gap_cpx2022_moti_sagey_final
Mind the gap_cpx2022_moti_sagey_finalMind the gap_cpx2022_moti_sagey_final
Mind the gap_cpx2022_moti_sagey_finalMoti Sagey מוטי שגיא
 
Csslp
CsslpCsslp
CsslpSushil Shakya
 
[CLASS 2014] Palestra Técnica - Delfin Rodillas
[CLASS 2014] Palestra Técnica - Delfin Rodillas[CLASS 2014] Palestra Técnica - Delfin Rodillas
[CLASS 2014] Palestra Técnica - Delfin RodillasTI Safe
 
From Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureFrom Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureKaspersky
 
Mind the gap
Mind the gapMind the gap
Mind the gapPietro F. Maggi
 
Securing future connected vehicles and infrastructure
Securing future connected vehicles and infrastructureSecuring future connected vehicles and infrastructure
Securing future connected vehicles and infrastructureAlan Tatourian
 
Security for Connected Vehicle: Successes and Challenges
Security for Connected Vehicle: Successes and ChallengesSecurity for Connected Vehicle: Successes and Challenges
Security for Connected Vehicle: Successes and ChallengesOnBoard Security, Inc. - a Qualcomm Company
 
Security architecture proposal template
Security architecture proposal templateSecurity architecture proposal template
Security architecture proposal templateMoti Sagey מוטי שגיא
 
Webinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesWebinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesSynopsys Software Integrity Group
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksSynopsys Software Integrity Group
 
An overview of the samsung knox platform v1 14
An overview of the samsung knox platform v1 14An overview of the samsung knox platform v1 14
An overview of the samsung knox platform v1 14Javier Gonzalez
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive softwareAlan Tatourian
 
Samsung knox uk eud_whitepaper_3
Samsung knox uk eud_whitepaper_3Samsung knox uk eud_whitepaper_3
Samsung knox uk eud_whitepaper_3Javier Gonzalez
 
Mobile Security Qualcom mr. patrick tsie - qualcomm
Mobile Security Qualcom mr. patrick tsie - qualcommMobile Security Qualcom mr. patrick tsie - qualcomm
Mobile Security Qualcom mr. patrick tsie - qualcommTien Hoang
 
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecuritySubho Halder
 
IRJET- Root Security Firewall
IRJET- Root Security FirewallIRJET- Root Security Firewall
IRJET- Root Security FirewallIRJET Journal
 

Más contenido relacionado

La actualidad más candente

SANS ICS Security Survey Report 2016
SANS ICS Security Survey Report 2016 SANS ICS Security Survey Report 2016
SANS ICS Security Survey Report 2016 Derek Harp
 
I Vi Z Profile
I Vi Z ProfileI Vi Z Profile
I Vi Z Profilekhushboo
 
Security Architecture for Cyber Physical Systems
Security Architecture for Cyber Physical SystemsSecurity Architecture for Cyber Physical Systems
Security Architecture for Cyber Physical SystemsAlan Tatourian
 
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...Seungjoo Kim
 
[CLASS 2014] Palestra Técnica - Delfin Rodillas
[CLASS 2014] Palestra Técnica - Delfin Rodillas[CLASS 2014] Palestra Técnica - Delfin Rodillas
[CLASS 2014] Palestra Técnica - Delfin RodillasTI Safe
 
From Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureFrom Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureKaspersky
 
Securing future connected vehicles and infrastructure
Securing future connected vehicles and infrastructureSecuring future connected vehicles and infrastructure
Securing future connected vehicles and infrastructureAlan Tatourian
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksSynopsys Software Integrity Group
 
An overview of the samsung knox platform v1 14
An overview of the samsung knox platform v1 14An overview of the samsung knox platform v1 14
An overview of the samsung knox platform v1 14Javier Gonzalez
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive softwareAlan Tatourian
 
Samsung knox uk eud_whitepaper_3
Samsung knox uk eud_whitepaper_3Samsung knox uk eud_whitepaper_3
Samsung knox uk eud_whitepaper_3Javier Gonzalez
 
Mobile Security Qualcom mr. patrick tsie - qualcomm
Mobile Security Qualcom mr. patrick tsie - qualcommMobile Security Qualcom mr. patrick tsie - qualcomm
Mobile Security Qualcom mr. patrick tsie - qualcommTien Hoang
 

La actualidad más candente (20)

SANS ICS Security Survey Report 2016
SANS ICS Security Survey Report 2016 SANS ICS Security Survey Report 2016
SANS ICS Security Survey Report 2016
 
I Vi Z Profile
I Vi Z ProfileI Vi Z Profile
I Vi Z Profile
 
Security Architecture for Cyber Physical Systems
Security Architecture for Cyber Physical SystemsSecurity Architecture for Cyber Physical Systems
Security Architecture for Cyber Physical Systems
 
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
 
Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at Scale
 
Mind the gap_cpx2022_moti_sagey_final
Mind the gap_cpx2022_moti_sagey_finalMind the gap_cpx2022_moti_sagey_final
Mind the gap_cpx2022_moti_sagey_final
 
Csslp
CsslpCsslp
Csslp
 
[CLASS 2014] Palestra Técnica - Delfin Rodillas
[CLASS 2014] Palestra Técnica - Delfin Rodillas[CLASS 2014] Palestra Técnica - Delfin Rodillas
[CLASS 2014] Palestra Técnica - Delfin Rodillas
 
From Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products SecureFrom Code to Customer: How to Make Software Products Secure
From Code to Customer: How to Make Software Products Secure
 
Mind the gap
Mind the gapMind the gap
Mind the gap
 
Securing future connected vehicles and infrastructure
Securing future connected vehicles and infrastructureSecuring future connected vehicles and infrastructure
Securing future connected vehicles and infrastructure
 
Security for Connected Vehicle: Successes and Challenges
Security for Connected Vehicle: Successes and ChallengesSecurity for Connected Vehicle: Successes and Challenges
Security for Connected Vehicle: Successes and Challenges
 
Security architecture proposal template
Security architecture proposal templateSecurity architecture proposal template
Security architecture proposal template
 
Webinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesWebinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilities
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
 
An overview of the samsung knox platform v1 14
An overview of the samsung knox platform v1 14An overview of the samsung knox platform v1 14
An overview of the samsung knox platform v1 14
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive software
 
Samsung knox uk eud_whitepaper_3
Samsung knox uk eud_whitepaper_3Samsung knox uk eud_whitepaper_3
Samsung knox uk eud_whitepaper_3
 
Mobile Security Qualcom mr. patrick tsie - qualcomm
Mobile Security Qualcom mr. patrick tsie - qualcommMobile Security Qualcom mr. patrick tsie - qualcomm
Mobile Security Qualcom mr. patrick tsie - qualcomm
 

Similar a Smartphone Applications - Common Criteria is going Mobile

Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecuritySubho Halder
 
IRJET- Root Security Firewall
IRJET- Root Security FirewallIRJET- Root Security Firewall
IRJET- Root Security FirewallIRJET Journal
 
IRJET- Root Security Firewall
IRJET- Root Security FirewallIRJET- Root Security Firewall
IRJET- Root Security FirewallIRJET Journal
 
Samsung knox security_solution_v1_10_0
Samsung knox security_solution_v1_10_0Samsung knox security_solution_v1_10_0
Samsung knox security_solution_v1_10_0Javier Gonzalez
 
Mobile Security Training, Mobile Device Security Training
Mobile Security Training, Mobile Device Security TrainingMobile Security Training, Mobile Device Security Training
Mobile Security Training, Mobile Device Security TrainingTonex
 
MDM is not Enough - Parmelee
MDM is not Enough - Parmelee MDM is not Enough - Parmelee
MDM is not Enough - Parmelee Prolifics
 
Appaloosa & AppDome: deploy & protect mobile applications
Appaloosa & AppDome: deploy & protect mobile applicationsAppaloosa & AppDome: deploy & protect mobile applications
Appaloosa & AppDome: deploy & protect mobile applicationsJulien Ott
 
Symantec Mobile Security Webinar
Symantec Mobile Security WebinarSymantec Mobile Security Webinar
Symantec Mobile Security WebinarSymantec
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantVladimir Jirasek
 
Mojave Networks Webinar: A Three-Pronged Approach to Mobile Security
Mojave Networks Webinar: A Three-Pronged Approach to Mobile SecurityMojave Networks Webinar: A Three-Pronged Approach to Mobile Security
Mojave Networks Webinar: A Three-Pronged Approach to Mobile SecurityMojave Networks
 
Challenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityChallenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityCygnet Infotech
 
Android Security: A Survey of Security Issues and Defenses
Android Security: A Survey of Security Issues and DefensesAndroid Security: A Survey of Security Issues and Defenses
Android Security: A Survey of Security Issues and DefensesIRJET Journal
 
Symantec Mobile Security
Symantec Mobile SecuritySymantec Mobile Security
Symantec Mobile SecurityArrow ECS UK
 
report on Mobile security
report on Mobile securityreport on Mobile security
report on Mobile securityJAYANT RAJURKAR
 
Symantec AppCenter Webinar.pptx
Symantec AppCenter Webinar.pptxSymantec AppCenter Webinar.pptx
Symantec AppCenter Webinar.pptxArrow ECS UK
 
Securing Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSecuring Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSubho Halder
 
Implementing security on android application
Implementing security on android applicationImplementing security on android application
Implementing security on android applicationIAEME Publication
 

Similar a Smartphone Applications - Common Criteria is going Mobile (20)

Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application Security
 
IRJET- Root Security Firewall
IRJET- Root Security FirewallIRJET- Root Security Firewall
IRJET- Root Security Firewall
 
IRJET- Root Security Firewall
IRJET- Root Security FirewallIRJET- Root Security Firewall
IRJET- Root Security Firewall
 
Samsung knox security_solution_v1_10_0
Samsung knox security_solution_v1_10_0Samsung knox security_solution_v1_10_0
Samsung knox security_solution_v1_10_0
 
Mobile Security Training, Mobile Device Security Training
Mobile Security Training, Mobile Device Security TrainingMobile Security Training, Mobile Device Security Training
Mobile Security Training, Mobile Device Security Training
 
I018145157
I018145157I018145157
I018145157
 
MDM is not Enough - Parmelee
MDM is not Enough - Parmelee MDM is not Enough - Parmelee
MDM is not Enough - Parmelee
 
Appaloosa & AppDome: deploy & protect mobile applications
Appaloosa & AppDome: deploy & protect mobile applicationsAppaloosa & AppDome: deploy & protect mobile applications
Appaloosa & AppDome: deploy & protect mobile applications
 
Symantec Mobile Security Webinar
Symantec Mobile Security WebinarSymantec Mobile Security Webinar
Symantec Mobile Security Webinar
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistant
 
Mojave Networks Webinar: A Three-Pronged Approach to Mobile Security
Mojave Networks Webinar: A Three-Pronged Approach to Mobile SecurityMojave Networks Webinar: A Three-Pronged Approach to Mobile Security
Mojave Networks Webinar: A Three-Pronged Approach to Mobile Security
 
Challenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityChallenges in Testing Mobile App Security
Challenges in Testing Mobile App Security
 
Android Security: A Survey of Security Issues and Defenses
Android Security: A Survey of Security Issues and DefensesAndroid Security: A Survey of Security Issues and Defenses
Android Security: A Survey of Security Issues and Defenses
 
Symantec Mobile Security
Symantec Mobile SecuritySymantec Mobile Security
Symantec Mobile Security
 
report on Mobile security
report on Mobile securityreport on Mobile security
report on Mobile security
 
Symantec AppCenter Webinar.pptx
Symantec AppCenter Webinar.pptxSymantec AppCenter Webinar.pptx
Symantec AppCenter Webinar.pptx
 
Securing Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSecuring Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest Version
 
Implementing security on android application
Implementing security on android applicationImplementing security on android application
Implementing security on android application
 
880 st011
880 st011880 st011
880 st011
 
Building Secure Android Apps for Lahore_ A Guide to Best Practices.pdf
Building Secure Android Apps for Lahore_ A Guide to Best Practices.pdfBuilding Secure Android Apps for Lahore_ A Guide to Best Practices.pdf
Building Secure Android Apps for Lahore_ A Guide to Best Practices.pdf
 

Más de Jens Oberender

Konsumterror #BCBN20 Barcamp Sessopn
Konsumterror #BCBN20 Barcamp SessopnKonsumterror #BCBN20 Barcamp Sessopn
Konsumterror #BCBN20 Barcamp SessopnJens Oberender
 
Erfahrungsbericht als Area Governor bei Toastmasters International
Erfahrungsbericht als Area Governor bei Toastmasters InternationalErfahrungsbericht als Area Governor bei Toastmasters International
Erfahrungsbericht als Area Governor bei Toastmasters InternationalJens Oberender
 
Pitch Your Project and Vision – Zielgerichtete Kommunikation
Pitch Your Project and Vision – Zielgerichtete KommunikationPitch Your Project and Vision – Zielgerichtete Kommunikation
Pitch Your Project and Vision – Zielgerichtete KommunikationJens Oberender
 
Konzeptbotschafter: The Elevator Pitch
Konzeptbotschafter: The Elevator PitchKonzeptbotschafter: The Elevator Pitch
Konzeptbotschafter: The Elevator PitchJens Oberender
 
Schlipsträger werden - Sinnsuche zum Berufseinstieg
Schlipsträger werden - Sinnsuche zum BerufseinstiegSchlipsträger werden - Sinnsuche zum Berufseinstieg
Schlipsträger werden - Sinnsuche zum BerufseinstiegJens Oberender
 
Überblick Common Criteria
Überblick Common CriteriaÜberblick Common Criteria
Überblick Common CriteriaJens Oberender
 
Grundlagen kooperativer Anonymisierungsnetze
Grundlagen kooperativer AnonymisierungsnetzeGrundlagen kooperativer Anonymisierungsnetze
Grundlagen kooperativer AnonymisierungsnetzeJens Oberender
 
Widerstandsfähigkeit von Anonymisierungsnetzen
Widerstandsfähigkeit von AnonymisierungsnetzenWiderstandsfähigkeit von Anonymisierungsnetzen
Widerstandsfähigkeit von AnonymisierungsnetzenJens Oberender
 
Algorithm for Multi-Path Hop-By-Hop Routing
Algorithm for Multi-Path Hop-By-Hop RoutingAlgorithm for Multi-Path Hop-By-Hop Routing
Algorithm for Multi-Path Hop-By-Hop RoutingJens Oberender
 
Getting Things Done (GfA Präsentation)
Getting Things Done (GfA Präsentation)Getting Things Done (GfA Präsentation)
Getting Things Done (GfA Präsentation)Jens Oberender
 
Riding the Flow - Wissenarbeit nach der Getting Things Done Methode
Riding the Flow - Wissenarbeit nach der Getting Things Done MethodeRiding the Flow - Wissenarbeit nach der Getting Things Done Methode
Riding the Flow - Wissenarbeit nach der Getting Things Done MethodeJens Oberender
 
Grundlagen Kooperativer Anonymität
Grundlagen Kooperativer AnonymitätGrundlagen Kooperativer Anonymität
Grundlagen Kooperativer AnonymitätJens Oberender
 
Widerstandsfähigkeit von Anonymisierungsnetzen
Widerstandsfähigkeit von AnonymisierungsnetzenWiderstandsfähigkeit von Anonymisierungsnetzen
Widerstandsfähigkeit von AnonymisierungsnetzenJens Oberender
 
Verlustbehaftete Komprimierung
Verlustbehaftete KomprimierungVerlustbehaftete Komprimierung
Verlustbehaftete KomprimierungJens Oberender
 
On the Design Dilemma in Dining Cryptographer Networks
On the Design Dilemma in Dining Cryptographer NetworksOn the Design Dilemma in Dining Cryptographer Networks
On the Design Dilemma in Dining Cryptographer NetworksJens Oberender
 
Denial Of Service Flooding Detection In Anonymity Networks
Denial Of Service Flooding Detection In Anonymity NetworksDenial Of Service Flooding Detection In Anonymity Networks
Denial Of Service Flooding Detection In Anonymity NetworksJens Oberender
 

Más de Jens Oberender (17)

Konsumterror #BCBN20 Barcamp Sessopn
Konsumterror #BCBN20 Barcamp SessopnKonsumterror #BCBN20 Barcamp Sessopn
Konsumterror #BCBN20 Barcamp Sessopn
 
Erfahrungsbericht als Area Governor bei Toastmasters International
Erfahrungsbericht als Area Governor bei Toastmasters InternationalErfahrungsbericht als Area Governor bei Toastmasters International
Erfahrungsbericht als Area Governor bei Toastmasters International
 
Pitch Your Project and Vision – Zielgerichtete Kommunikation
Pitch Your Project and Vision – Zielgerichtete KommunikationPitch Your Project and Vision – Zielgerichtete Kommunikation
Pitch Your Project and Vision – Zielgerichtete Kommunikation
 
Konzeptbotschafter: The Elevator Pitch
Konzeptbotschafter: The Elevator PitchKonzeptbotschafter: The Elevator Pitch
Konzeptbotschafter: The Elevator Pitch
 
Schlipsträger werden - Sinnsuche zum Berufseinstieg
Schlipsträger werden - Sinnsuche zum BerufseinstiegSchlipsträger werden - Sinnsuche zum Berufseinstieg
Schlipsträger werden - Sinnsuche zum Berufseinstieg
 
Überblick Common Criteria
Überblick Common CriteriaÜberblick Common Criteria
Überblick Common Criteria
 
Grundlagen kooperativer Anonymisierungsnetze
Grundlagen kooperativer AnonymisierungsnetzeGrundlagen kooperativer Anonymisierungsnetze
Grundlagen kooperativer Anonymisierungsnetze
 
Widerstandsfähigkeit von Anonymisierungsnetzen
Widerstandsfähigkeit von AnonymisierungsnetzenWiderstandsfähigkeit von Anonymisierungsnetzen
Widerstandsfähigkeit von Anonymisierungsnetzen
 
Algorithm for Multi-Path Hop-By-Hop Routing
Algorithm for Multi-Path Hop-By-Hop RoutingAlgorithm for Multi-Path Hop-By-Hop Routing
Algorithm for Multi-Path Hop-By-Hop Routing
 
Getting Things Done (GfA Präsentation)
Getting Things Done (GfA Präsentation)Getting Things Done (GfA Präsentation)
Getting Things Done (GfA Präsentation)
 
Riding the Flow - Wissenarbeit nach der Getting Things Done Methode
Riding the Flow - Wissenarbeit nach der Getting Things Done MethodeRiding the Flow - Wissenarbeit nach der Getting Things Done Methode
Riding the Flow - Wissenarbeit nach der Getting Things Done Methode
 
Grundlagen Kooperativer Anonymität
Grundlagen Kooperativer AnonymitätGrundlagen Kooperativer Anonymität
Grundlagen Kooperativer Anonymität
 
Widerstandsfähigkeit von Anonymisierungsnetzen
Widerstandsfähigkeit von AnonymisierungsnetzenWiderstandsfähigkeit von Anonymisierungsnetzen
Widerstandsfähigkeit von Anonymisierungsnetzen
 
Verlustbehaftete Komprimierung
Verlustbehaftete KomprimierungVerlustbehaftete Komprimierung
Verlustbehaftete Komprimierung
 
Peer-to-Peer Security
Peer-to-Peer SecurityPeer-to-Peer Security
Peer-to-Peer Security
 
On the Design Dilemma in Dining Cryptographer Networks
On the Design Dilemma in Dining Cryptographer NetworksOn the Design Dilemma in Dining Cryptographer Networks
On the Design Dilemma in Dining Cryptographer Networks
 
Denial Of Service Flooding Detection In Anonymity Networks
Denial Of Service Flooding Detection In Anonymity NetworksDenial Of Service Flooding Detection In Anonymity Networks
Denial Of Service Flooding Detection In Anonymity Networks
 

Último

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

Último (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

Smartphone Applications - Common Criteria is going Mobile

  • 1. Dr. Jens Oberender SRC Security Research & Consulting GmbH Smartphone applications – Common Criteria is going Mobile ICCC2012 Paris
  • 2. How to CC-evaluate smartphone apps? Agenda Specify Security Target TOE scope Application specific SFRs Assurance for Smartphone apps Insight Summary Common Criteria is going Mobile 2012 © SRC Security Research & Consulting GmbH Page 2
  • 3. Specify TOE scope TOE security functions TOE Environment Data import Access control & isolation Key management Policy enforcement Encrypted storage Mobile device management Common Criteria is going Mobile 2012 © SRC Security Research & Consulting GmbH Page 3
  • 4. Security Functional Requirements Generic Smartphone App SFR Smartphone App FDP_RIP.2 Residual Information Protection Wipe residual data on app hibernation FDP_SDI.2 Stored Data Integrity Ensure authentic configuration FPT_TST TSF Self Test Detection of jail break and background apps FPT_ITC Inter-TSF trusted channel Mutual assured identification FTA_SSL.3 TSF-initiated termination Inactivity wipes user authentication FTP_TRP Trusted Path Key negotiation for secure transport Audit/log performed by mobile device management Common Criteria is going Mobile 2012 © SRC Security Research & Consulting GmbH Page 4
  • 5. Security Assurance Requirements Smartphone App Fields of Interest SAR Notes for Smartphone App AGD_PRE Authentic app market download Allow for determined set of component interfaces AGD_OPE Certificate chain validation ALC Secure rollout and destruction Crypto provider API versioning ADV_TDS Control flow, data flow for actions and forms Signed app ≠ authenticity & trust Remote wipe by mobile device management Security Awareness through Smartphone-CERT Common Criteria is going Mobile 2012 © SRC Security Research & Consulting GmbH Page 5
  • 6. Security Architecture Evaluation of ADV_ARC SAR Notes for Smartphone App ADV_ARC Secure startup platform settings Self-protection between hibernate and startup Non-bypassability configuration authenticity Set app permissions sparsely Regulate information flow with permissions Enforce interaction policy during runtime, e.g. caller version and configuration on IPC Common Criteria is going Mobile 2012 © SRC Security Research & Consulting GmbH Page 6
  • 7. Vulnerability Analysis Test and Penetrate SAR Notes for Smartphone App ATE_IND Validation of interface data Issues with hibernation AVA Address Space Layout Randomization Platform key chain mechanism Entropy in key derivation Strong base passwords necessary Appropriate data protection classes Relevance of Mass Infections (cf. chipcard domain) Required skills for exploitation phase Specific efforts & costs of performing attacks Common Criteria is going Mobile 2012 © SRC Security Research & Consulting GmbH Page 7
  • 8. Insight Summary Common Criteria is going Mobile Common Criteria approach well-suited for evaluation Identified app-specific requirements Demand for Smartphone-CERT Operation policies supplement platform measures App mass infections prevented by market countermeasures Achievable! CC-Evaluation TOE scope limited High-value targets: strict separation (eg. HASK-PP from 2008) Enterprise policy oriented (Mobile Device PP draft) Common Criteria is going Mobile 2012 © SRC Security Research & Consulting GmbH Page 8
  • 9. References 1/2 http://www.enisa.europa.eu/activities/application-security/smartphone-security-1 https://www.owasp.org/index.php/OWASP_Mobile_Security_Project http://www.malgenomeproject.org/ K. Wain Yee Au, et. al. A Look at SmartPhone Permission Models, SPSM, 2011. A. Alkassar, et. al. Sicherheitskern€ für Smartphones: Ansätze und Lösungen, DuD, 2012. D. Barerra. Secure Software Installation on Smartphones, S&P, 2011. M. Becher: Security of Smartphones at the Dawn of their Ubiquitousness. PhD Thesis (in German), University of Mannheim, 2009. B. Dodson, et. al. Secure, Consumer-Friendly Web Authentication and Payments with a Phone. MobiCASE, 2010. W. Enck. Defending Users Against Smartphone Apps: Techniques and Future Directions, ICISS, 2011. W. Enck. Understanding Android Security, S&P, 2009. M. Grace, et. al. Systematic Detection of Capability Leaks in Stock Android Smartphones, NDSS 2012, 2012. Common Criteria is going Mobile 2012 © SRC Security Research & Consulting GmbH Page 9
  • 10. References 2/2 S. Hallsteinsen, I. Jorstad, and D. Van Thanh. Using the mobile phone as a security token for unified authentication. ICSNC, 2007. D. Kleidermacher. Bringing Security to Android-based Devices. Information Quaterly, issue 32. C. R. Mulliner: Security of Smart Phones, Master Thesis, UCL, 2006. M. Ongtang, et. al. Semantically Rich Application-Centric Security in Android, ACSAC, 2009. S. Schrittwieser, et. al. Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications, NDSS, 2011. A. Shabtai, et. al. Google Android: A State-of-the-Art Review of Security Mechanisms, CoRR Dagstuhl, 2009. A. Porter Felt, et. al. Android Permissions Demystified, CCS, 2011. A. Porter Felt, et. al. The Effectiveness of Application Permissions, USENIX, 2011. D. Wallach: Smartphone Security: Trends and Predictions. SecAppDev 2011 Y. Zhou, X. Jiang. Dissecting Android Malware: Characterization and Evolution, P&S, 2012 Common Criteria is going Mobile 2012 © SRC Security Research & Consulting GmbH Page 10
  • 11. Thank You! Dr. Jens Oberender SRC - Security Research & Consulting GmbH Graurheindorfer Str. 149a 53117 Bonn Germany phone +49-228-2806-182 | -0 fax: +49-228-2806-199 E-mail: jens.oberender@src-gmbh.de WWW: www.src-gmbh.de www.src-gmbh.de/download.html Common Criteria is going Mobile 2012 © SRC Security Research & Consulting GmbH Page 11