1. Nokia Research Center Usable Security for Smartphones Cynthia Kuo Senior Researcher October 26, 2010 1

2. Nokia Research Center Many Development Platforms 2 http://www.gartner.com/it/page.jsp?id=1421013 Worldwide Smartphone Sales to End Users by Operating System in 2Q10 Coming soon… Windows Phone 7 MeeGo (Maemo + Moblin) BlackBerry Tablet OS

3. Nokia Research Center A Few Usable Security Topics in Smartphones Better application permissions models Using smartphones for authentication Better models for website authentication Phone-friendly CAPTCHAs Lost or stolen devices / data backup and restoration 3

4. Nokia Research Center Application Permissions: Threat Model Company Confidential 4 PC Many users share the same machine Protect users from one another Implement access control on users’ data Smartphone One user, one device Users may install malicious applications Protect processes from one another Implement access control on resources Protect business model

5. Nokia Research Center Application Permissions: Symbian Company Confidential 5 Symbian signed Application has passed certain tests and is signed against a certificate Signed installation package contains a list of the application’s capabilities Company Confidential 5

6. Nokia Research Center Application Permissions: Symbian Self-signed Has no capabilities User can grant capabilities Blanket Installation time One-shot When the requiring action takes place

7. Nokia Research Center Application Permissions: BlackBerry Resource grant during installation and first start Configurable through menu May also be configured by administrator through BlackBerry Enterprise Server Application installation Application permissions Data that application can access Company Confidential 7

8. Nokia Research Center Application Permissions: iPhone Codesigning used for certifying applications that pass app store requirements All apps need to be signed by Apple's private key(s) to run on (non-jailbroken) iPhone Password demonstrates user’s intent to install No options or requests for resource access Company Confidential 8

9. Nokia Research Center Application Permissions: Android Applications are self-signed Used for continuity (package updates) and integrity Android’s blanket grant during installation 112 Google-defined permissions Developers can define their own permissions to expose APIs to other applications Company Confidential 9 Content from David Barrera

10. Nokia Research Center Using Smartphones for Authentication 10 [ Coming up next! ]

11. Nokia Research Center Better Model for Authenticating Websites 11

12. Nokia Research Center Better CAPTCHAs? 12 Alex Smolen, Becky Hurwitz, Dhawal Mujumdar, UC Berkeley i213 Spring 2010 Project

13. Nokia Research Center Lost or Stolen Devices / Data Backup and Restoration When your phone is your primary device, what happens when you lose it? Company Confidential 13

14. Nokia Research Center Summary: A Few Usable Security Topics Better application permissions models Using smartphones for authentication Better models for website authentication Phone-friendly CAPTCHAs Lost or stolen devices / data backup and restoration 14

15. Nokia Research Center Thank You 15 cynthia.kuo@nokia.com