Presentation is loading. Please wait.

Presentation is loading. Please wait.

Storage of sensitive data in a Java enabled cell phone MSc Thesis Tommy Egeberg June 2006.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Storage of sensitive data in a Java enabled cell phone MSc Thesis Tommy Egeberg June 2006."— Presentation transcript:

1 Storage of sensitive data in a Java enabled cell phone MSc Thesis Tommy Egeberg June 2006

2 Agenda Introduction Problem Methods Results Conclusion Further Work

3 Introduction Cell phones → small computers Stores a lot of sensitive information –RMS, email, SMS, calendar … Able to run Java applications –Mobile SSO solution Store passwords -Introduction

4 Main problem Will a Java MIDlet on a cellular phone be a secure location to store sensitive information? -Problem

5 Research Questions What is already known about security in Java enabled cell phones? Will information stored on a cellular phone be easy to extract? How can we secure the stored sensitive information even if the cellular phone is lost or stolen? What kind of threats will the cell phone be vulnerable to? What kind of countermeasures can be used to reduce or eliminate the threats? -Problem

6 Methods Literature study –J2ME specifications –Communication link; cell phone ↔ server Prototype –Try to break into the prototype Security analysis –Identify threats and vulnerabilities -Methods

7 Digital safe Master password –PIN –Pass-faces –Stored as a SHA1 hash digest The sensitive information –AES encrypted with a 128 bit key Key derived from master password, username and a iteration count of 20, like described in PKCS5v2 [1] -Methods

8 Remote deletion SMS sent to the phone with the digital safe installed –Defined port number –The AMS starts the digital safe –SHA1 value of password –Deletes the stored information -Methods

9 Stealing MIDlet Upgrade a previously installed MIDlet The RMS will not be erased Read the stored information Identical values in the JAD file Can be used to inject Trojan code -Methods

10 Results Encryption and decryption –Bouncy Castle Crypto API [2] AES, SHA1, … Remote deletion is a poor functionality –Can easily be deactivated Data stored in the RMS can easily be extracted -Results

11 Data extraction Forensic methods [3] –Desoldering techniques, boundary-scan (JTAG) –Native applications Windows Mobile, Symbian OS Stealing MIDlet Phone Managers –Backup of MIDlet’s RMS -Results

12 Stealing MIDlet Overwrite the installed MIDlet MIDlet-Name and MIDlet-Vendor Source code –Add Trojan code A signed MIDlet can not be upgraded with an unsigned MIDlet! -Results A Stealing MIDlet’s JAD file MIDlet-1:StealingMIDlet,, StealingMIDlet MIDlet-Jar-Size:4743 MIDlet-Jar-URL:StealingMIDlet.jar MIDlet-Name:Password Store MIDlet-Vendor:Tommy Egeberg MIDlet-Version:1.0 MicroEdition- Configuration: CLDC-1.1 MicroEdition- Profile: MIDP-2.0

13 Phone Managers Oxygen Phone Manager II [4] –Backup Java MIDlets –Backup MIDlet's RMS MOBILedit! [5] –Forensic edition available -Results

14 RMS backup -Results

15

16 Threats & Vulnerabilities Information extracted Trojan code –Keyboard sniffer, send information to hacker, … Phone is stolen Brute-force attacks Remote deletion disabled MIDlet installation request -Results

17

18 Countermeasures Reflash cell phone OS Check MIDlet size and functionality Sign the MIDlet –Prevent Stealing MIDlets Strong master password and encryption Frequently update the login credentials -Results

19 Conclusion A strong master password must be chosen –The key in the encryption process, access to the application Data easily extracted –Encryption extremely important The MIDlet should be signed –Prevent installation of Stealing MIDlets, trusted source -Conclusion

20 Further Work SATSA (The Security and Trust Service API) Biometric authentication –Speech recognition (Java Speech API) Proactive password checking Synchronization service –Update the stored login credentials if the phone is lost -Further work

21 References [1]RSA-Laboratories. March 1999. Pkcs5v2.0: Password-based cryptography standard. [2]Bouncy Castle. Bouncy Castle Crypto Package. Light-weight API, release 1.33. [3] Willassen, S. Y. Spring 2003. Forensics and the GSM mobile telephone system. International Journal of Digital Evidence, 2, 10–11. [4] Oxygen-Software. Oxygen phone manager for Nokia phones (forensic edition) http://www.opm-2.comhttp://www.opm-2.com [5] Compelson laboratories. MOBILedit! Forensic http://www.mobiledit.com http://www.mobiledit.com

Download ppt "Storage of sensitive data in a Java enabled cell phone MSc Thesis Tommy Egeberg June 2006."

Similar presentations

Week III BlackBerry APIs. Overview Blackberry APIs Controlled APIs Registering to use RIM APIs Code Signing Optional Signatures Code Signature Verification.

Week III BlackBerry APIs. Overview Blackberry APIs Controlled APIs Registering to use RIM APIs Code Signing Optional Signatures Code Signature Verification.
A mobile single sign-on system Master thesis 2006 Mats Byfuglien.

A mobile single sign-on system Master thesis 2006 Mats Byfuglien.
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.
SPEKE S imple Password-authenticated Exponential Key Exchange Robert Mol Phoenix Technologies.

SPEKE S imple Password-authenticated Exponential Key Exchange Robert Mol Phoenix Technologies.
Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.

Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.
For further information computersecurity.wlu.ca

For further information computersecurity.wlu.ca
Gefördert durch das Kompetenzzentrenprogramm DI Alfred Wertner 19. September 2014 Ubiquitous Personal Computing © Know-Center 2014 www.know-center.at Security.

Gefördert durch das Kompetenzzentrenprogramm DI Alfred Wertner 19. September 2014 Ubiquitous Personal Computing © Know-Center Security.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Writing Your First MIDlet Running JAVA on a Cell Phone Jon A. Batcheller January 27, 2004.

Writing Your First MIDlet Running JAVA on a Cell Phone Jon A. Batcheller January 27, 2004.
Purdue University proudly presents www.purdue.edu/securepurdue Doug Couch & Nathan Heck, IT Security Analysts.

Purdue University proudly presents Doug Couch & Nathan Heck, IT Security Analysts.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility. Simplify authentication.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility. Simplify authentication.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Mobile Single Sign On System Souheil Lazghab. The security protocol should secure: First, the Bluetooth communication between the PICDEM FS USB Demo board.

Mobile Single Sign On System Souheil Lazghab. The security protocol should secure: First, the Bluetooth communication between the PICDEM FS USB Demo board.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Similar presentations

Ads by Google