Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Mobile Commerce: A Security Perspective
1. Mobile Commerce: A Security Perspective
Pragati Ogal Rai
Chief Technology Evangelist, PayPal Inc.
@pragatiogal
2. My Ego Slide!
• Author of “Android Application Security Essentials”
• 2014 Zinnov Thought Leadership Award
• Mobile Developer Relations, PayPal North America
• 15+ Years Industry Experience
• Mobile, Android, Security, Payments and Commerce
Pragati.Rai@paypal.com
@pragatiogal
www.slideshare.net/pragatiogal
www.linkedin.com/in/pragati
2
3. Mobile commerce is worth US$230 billion
M-Commerce will reach US$700 billion in 2017
Asia represents almost half of the market
http://www.digi-capital.com
4. Agenda
M-commerce defined
M-commerce ecosystem
End-to-end security
How does it affect me?
9. Mobile Commerce
Promotions &
coupons
Mobile
commerce
Payments
Location-based
services
In-store
research
Self-scanning &
self-checkout
Social commerce
Loyalty
Mobile shopping
lists
14. Partial Connectivity: Security Analysis
End to end security
Privacy
Client-merchant identification
Communication authentication
More points of attack
18. Mobile Security Stack
Mobile Security Stack
Application
Operating System
Device Hardware
Infrastructure/
Network
• Each layer takes care of it’s
own security
• Each layer depends upon
lower layer for security
• Transition between the layers
can cause attacks
19. Infrastructure/ Network Layer
Mobile Security Stack
Application
Operating System
Device Hardware
Infrastructure/
Network
• Third party networks
• GSM, CDMA, SMS, WAP,
GPS…
• Usually security breach at this
layer is device agnostic
20. Breaking GSM
https://srlabs.de/decrypting_gsm/
• GnuRadio is included in recent Linux distributions
• Airprobe: git clone git://git.gnumonks.org/airprobe.git
• Kraken: git clone git://git.srlabs.de/kraken.git
• Kraken uses rainbow tables available through Bittorrent
21. Device Hardware Layer
Consumer Electronics Devices
Some CEDs are Connected
Computing capability + runs software
Smartphones, tablets, mobile PoS
device, parking meter, vending machine
Flaw in chip design affects all hardware
based on that chip
Mobile Security Stack
Application
Operating System
Device Hardware
Infrastructure/
Network
23. Device Security: Example
Brought to light by user
"alephzain" on mobile
developer forum XDA
Developers, the user claims
that the flaw potentially
affects Samsung devices that
use Exynos processor
models 4210 and 4412,
specific examples including
the Samsung Galaxy S2 and
Samsung Galaxy Note 2
which use the dual core,
fourth-generation Exynos
chips.
"The good news is we can easily obtain
root on these devices and the bad is there
is no control over it.
Ram dump, kernel code injection and
others could be possible via app
installation from Play Store. It certainly
exists many ways to do that but Samsung
give an easy way to exploit. This security
hole is dangerous and expose phone to
malicious apps.
Exploitation with native C and JNI could be
easily feasible."
http://www.zdnet.com/security-flaw-found-in-samsung-handsets-tablets-7000008880/
24. Operating System Layer
Mobile Security Stack
Application
Operating
System
Device
Hardware
Infrastructure/
Network
• Android, iOS, Symbian, Windows, J2ME
• Flaws are most common and are easily
exploited
• Compromises security of applications
• Flaw affects entire revision of software
• Patches and security fixes are common
25. Android Software Stack
• Permission based application
model
• Linux kernel based process
sandboxing
26. OS Security: Example
Android 2.3.3 and below …..
When you login to an account, an
authToken is stored locally on your
device for 14 days, allowing you to
re-access the service without
hassle. Unfortunately, tokens are
transferred through an unencrypted
channel, so they can easily be
intercepted. Once intercepted, the
attacker can login to the account
associated with the authToken
without question.
http://www.androidpolice.com/2011/05/17/security-vulnerability-in-most-versions-of-android-allows-attackers-to-steal-
your-login-credentials/
• Don’t use public Wi-fi!
• Patched in 2.3.4 and
Honeycomb
27. Application Layer
Mobile Security Stack
Application
Operating
System
Hardware
Infrastructure/
Network
• Your applications, system
applications, applications you install
• Coding flaws, exploiting a hole in OS
• Buffer overflows, data leakage,
custom crypto algorithms, hardcoded
values
28. Malicious App Examples
Android
Repackaged Apps on Play
posing as TempleRun and Glu
Mobile
Lovetrap: Trojan, sends SMS
Nickispy: Trojan, steals info
Geinimi: Botnet, follows orders
from remote server, send
sensitive info back
iPhone
Trojan sends out contact list to
server
Handy Light: secret tethering
utility
29. TrustZone: Trusted Execution Environment
• Two domains: Normal & Secure
• Implemented as SoC
• Security extensions to
www.arm.com
processor
• Trusted OS
• Virtualization
31. Mobile Security Stack
Application
Operating System
Hardware
Infrastructure/Network
Do NOT trust the mobile ecosystem!
Only this is
in your
control !
33. PCI Standard Council
Independent organization
PCI PTS approved add-on devices
PA DSS approved applications
Working with mobile vendors for further solutions around mobile payments
Develop common set of payment standards
– PCI-DSS v2.0
– PCA-DSS
– PCI-PTN
– PCI-P2PE
34. PCI-DSS V2.0
Build and maintain a secure network
Protect cardholder data
Regularly test and monitor networks
Maintain an InfoSec policy
Maintain vulnerability management program
Implement strong access control measures
43. Summary
M-commerce is a complex space
Understand what mobile means for your business
Identify assets/ threats
Analyze technology being used
Be aware of emerging standards
Use OS security features, crypto tools, identity and authorization
44. Pragati Ogal Rai
@pragatiogal
http://www.slideshare.net/pragatiogal
Thank You!
Notas del editor
Disconnected
Double Spending
Credentials checking
Updates
Privacy
Integrity of State