2 nd September 2004
Mobile Device Security Jason Langridge Mobile and Embedded Device Division 2 nd September, 2004
Agenda Windows Mobile Security Windows Mobile Security Perimeter Protection Anti-Virus and Firewall Installation and Execution Control Data protection Authentication 3 rd Party Solutions 3 rd Party Solutions Futures Futures Discussion Discussion
Device Owner Ownership challenges Enterprise Phone Operator Ensure device data protected Enable secure network access Deploy rich device apps Ensure secure device Ensure reliable device Operator specific configuration Enable rich device services Data access anywhere/anytime Ability to run rich applications Ensure secure device A reliable and secure device
Mobile Device Security Challenges Devices infrequently connected to an organisation’s network Devices infrequently connected to an organisation’s network Many Personal devices, yet expectation they should be managed by their employer Many Personal devices, yet expectation they should be managed by their employer Mixture of business and personal applications and data Mixture of business and personal applications and data Large % of devices enter through the back door (>75%) Large % of devices enter through the back door (>75%) Growing capacity > 1GB Growing capacity > 1GB Pilots blur into production Pilots blur into production
Device Password 4-digit PIN (Pocket PC) 4-digit PIN (Pocket PC) Strong password (Pocket PC & SmartPhone) Strong password (Pocket PC & SmartPhone) >4 digit PIN (Smartphone) >4 digit PIN (Smartphone) Exponential delay with incorrect password Exponential delay with incorrect password Password protected ActiveSync partnership Password protected ActiveSync partnership
1. Device Password – OEM Fingerprint reader HP iPAQ 5400 Series
Device Password – 3 rd Party Picture sequence Picture sequence Tells a story Easy to remember Picture order changes Picture order changes Avoid pattern recognition Balances screen scratches Short and long sequence Short and long sequence Quick access short PIN Incorrect PIN reverts to long PIN Pointsec Software
Device Password – 3 rd Party Password Replacement Secures PDA access Secures PDA access Uses secret sign biometric Sandia Laboratories Tested Scenarios Scenarios Information warfare Homeland defense HIPPA compliance Enterprise security Crypto-Sign Crypto-Sign TM
Anti-Virus Software Built-in APIs for Anti-virus solutions Built-in APIs for Anti-virus solutions Computer Associates F-Secure McAfee SOFTWIN Personal Firewall Personal Firewall Bluefire Security Technologies Check Point VPN-1 SecureClient
Execution Control Smartphone now - Pocket PC in future release. Smartphone now - Pocket PC in future release. Based on application signing and protects in two ways: Based on application signing and protects in two ways: Installation Execution Modes of operation Modes of operation All apps allowed Prompt user when un-signed app is trying to install or execute Only signed applications (chaining to a trusted root certificate) are allowed Can revoke applications Can revoke applications By author (revoke a signing cert) By executable (revoke a hash) Windows Mobile: Mobile-2-Market program Windows Mobile: Mobile-2-Market program Run registered applications as unprivileged
Data Protection Limit the data to just what is needed…. Limit the data to just what is needed…. Cryptographic services for applications are built-in (Crypto API v2) Cryptographic services for applications are built-in (Crypto API v2) SQL-CE provides 128-bit encryption (PPC only) SQL-CE provides 128-bit encryption (PPC only) 3 rd Party options: 3 rd Party options: CompanyProduct Applian TechnologiesThe Pocket Lock offers both file and folder encryption. Asynchrony.comPDA Defense for the Pocket PC encrypts databases, files, and memory cards. Cranite SystemsWirelessWall provides AES data encryption for Pocket PCs Developer One, Inc.CodeWallet Pro provides a secure way to store and access important information on your Pocket PC or Smartphone Handango, Inc.Handango Security Suite for Pocket PC provides file and data encryption. Pointsec Mobile Technologies Pointsec for Pocket PC encrypts all data stored in the device, whether in RAM or on external storage cards. SoftWinterseNTry 2020 encrypts data on external storage cards. Trust Digital LLCPDASecure secures access to a Pocket PC and encrypts the data on it. It also prevents unauthorized infrared beaming of data.
Secure Connectivity Infrastructure VPN VPN SSL SSL Network Authentication Network Authentication Credential Manager Credential Manager
VPN Virtual Private Networking (VPN) Virtual Private Networking (VPN) Secure connection via Internet to corporate network Support for: Support for: PPTP IPSec/L2TP No support for IPSec Tunneling Mode No support for IPSec Tunneling Mode
SSL 128 bit encryption 128 bit encryption Server Validation Server Validation Verify WEB Server Identity Verify a trusted certifiate authority issued the server’s certificate – “Walking the Chain” Client Validation Client Validation Uses certificate from MyStore
Network Authentication 802.1x technology for wireless LANs 802.1x technology for wireless LANs Extensible Application Protocol-Transport Layer Security (EAP-TLS) for certificate-based authentication Protected Extensible Authentication Protocol (PEAP) for password-based authentication WiFi Protected Access (WPA) for security without the back-end infrastructure Dial-up authentication - Windows NT® Challenge/Response Dial-up authentication - Windows NT® Challenge/Response Support for multiple networking and authentication protocols for accessing secure Web sites Support for multiple networking and authentication protocols for accessing secure Web sites SSL 3.1, Private Communications Technology (PCT), and Point-to-Point Protocol (PPP), as well as Wireless Transport Layer Security (WTLS) class 2 for accessing secure Wireless Access Protocol (WAP) sites. Authentication for Virtual Private Networking Authentication for Virtual Private Networking Challenge Handshake Authentication Protocol (CHAP and MS-CHAP versions 1 and 2) Password Authentication Protocol (PAP) Serial Line Internet Protocol (SLIP) and PPP
Credential Management Credentials – Username/Password/Domain Credentials – Username/Password/Domain Stored per server Stored per server Credential storage can be disabled for Enterprise customers Credential storage can be disabled for Enterprise customers
Perimeter protection Perimeter protection Device lock: PIN, Strong, exponential delay Authentication protocols: PAP, CHAP, MS- CHAP, NTLM, TLS Data protection Data protection 128-bit Cryptographic services: CAPIv2 Code signing (SmartPhone only) Anti-virus API Application Installation and Execution protection Application Installation and Execution protection Network protection Network protection OTA device management security Secure Browsing: HTTP (SSL), WAP (WTLS) Virtual Private Networking (PPTP, L2TP IPSec) Wireless network protection (WEP, 802.1x, WPA) Summary of Windows Mobile Security Features
References Windows Mobile Security White paper Windows Mobile Security White paper /resources/whitepapers/security.mspx /resources/whitepapers/security.mspx /resources/whitepapers/security.mspx Security Product Solutions Security Product Solutions /information/businesssolutions/security/s ecsearch.aspx /information/businesssolutions/security/s ecsearch.aspx /information/businesssolutions/security/s ecsearch.aspx
Signature authentication Signature authentication Certicom Corporation Communication Intelligence Corporation TSI/Crypto-Sign VASCO Enhanced password protection Enhanced password protection Hewlett-Packard Pictograph authentication Pictograph authentication Pointsec Mobile Technologies Fingerprint authentication Fingerprint authentication Biocentric Solutions Inc. HP iPAQ 5400 Card-based authentication Card-based authentication RSA Security Schlumberger Sema Certificate Authentication on a Storage Card Certificate Authentication on a Storage Card JGUI Software Storage Encryption Software Storage Encryption F-Secure Pointsec Mobile Technologies Trust Digital LLC Encrypt Application Data Encrypt Application Data Certicom Corporation Glück & Kanja Group Ntrū Cryptosystems, Inc. Virtual Private Networking Virtual Private Networking Certicom Corporation Check Point Software Technologies Ltd. Columbitech Entrust, Inc. Epiphan Consulting Inc. Disable Applications Disable Applications Trust Digital LLC Device Wipe Device Wipe Asynchrony.com Public Key Infrastructure (PKI) Public Key Infrastructure (PKI) Certicom Corporation Diversinet Corp. Dreamsecurity Co., Ltd. Glück & Kanja Group Thin Client Technology Thin Client Technology Citrix FinTech Solutions Ltd. Microsoft 3 rd Party Solution Providers
Discussion Is Security a significant barrier to you deploying mobile devices today? Is Security a significant barrier to you deploying mobile devices today? What key elements are we missing from our product set? What key elements are we missing from our product set?
Application Security Mobile2Market process Mobile2Market process Build app Logo test app with M2M test house Purchase certificate from M2M CA Sign app and submit to CA for countersign w/ M2M cert Create and sign CAB, and submit to CA for countersign Submit to M2M catalog Differences with Windows Desktop Differences with Windows Desktop Desktop does not have code signing for normal apps (only drivers, VBA, ActiveX controls) No online revocation Code signing happens at CA service (not offline) In most device configurations, every app must be signed with a recognized id Run/block decision made by MO, not user (usually)
Native Application Privileges Locked Device: Block all Block all Only MO apps Only MO apps Closed Device: Run signed only Run signed only Default Config: Run w/ prompts Run w/ prompts Open device: Run everything Trusted Run everything Trusted
Certificate Stores Root Store Root Store Contains trusted intermediate authorities (Trusted CA’s) Contains certificate roots trusted for secure web sessions (https) Operators should not need to add Certificates to this store My Store My Store User personal certificates Operator should not add certificates to this store SPC (Software Publishers Certificate) SPC (Software Publishers Certificate) Root of trusted software publishers whose application are allowed to install on the device. M2M (Mobile to Market) certificates are already here Operators may install certificates here if interested in managing application downloads (recommended)
Certificate Stores Privileged Store Privileged Store Root certificates in this store define which signed applications can access privileged API’s Operators must add root certificates to Privileged store to allow privileged applications to be signed for execution Unprivileged Store Unprivileged Store Root certificates in this store define which signed applications can access unprivileged API’s. M2M certificates are already here Operators may add their own root cert or partner cert here if they implement a closed device. Reliance on M2M cert is recommended
Certificate Management How to add or manage certificates How to add or manage certificates Flashed to operator ROM region and invoked during cold boot Push XML provisioning file Over the Air (OTA) Browse a site with hyperlink to.CPF file Use MMC/SD card that contains.CPF file Push XML file over the desktop ActiveSync via USB cable or IR port
Revocation Right to recourse against misbehaving apps. Revoke an individual app Revoke an individual app Device never runs BadNews.exe Revoke a specific developer Revoke a specific developer Device never runs apps from JunkApps.com Revoke signing cert Revoke signing cert Never run apps from developers cleared by FlakeySign cert authority All of these revocations can be performed Over-the-air