Protección de aplicaciones con dispositivos móviles

PowerPoint Presentation

Securing Applications with SmartphonesClaudio SorienteTelefnica I+D5TH JULY, 2016

Cybersecurity & FinTech

Click to edit Master title style

Telefnica Investigacin y Desarrollo1Researcher at Telefonica since 2015

Previous positions UPM (Juan de la Cierva fellow)ETH Zrich

PhD UC Irvine 2009UC PhD fellow and IBM PhD fellowAdvisor: Prof. Gene Tsudik

Interested in Security and Privacyhttp://www.tid.es/research/researchers/claudio-soriente

[email protected]


Telefnica Investigacin y Desarrollo2Located in Barcelona since 2011

~20 researchers + PhD students

Focus on Network and Data

Scientific visibilitySIGCOMM, INFOCOM, MobiCom, CoNext, CHI, UbiComp, WWW,

Internship at TID are popular! 10+ interns per year

Visiting researchers are welcome!


Smartphones Use Cases3


Smartphones Popularity41Gartner Inc.2Google Scholar Data


4

Securing Applications with Smartphones5SmartphonesPoS transactionsWeb authentication

Sound-Proof: Usable Two-Factor Authentication Based on Ambient Sound (Usenix Security 2015)

Smartphones as Practical and Secure Location Verification Tokens for Payments (NDSS 2014)


6joint work with Nikolaos Karapanos, Claudio Marforio, and Srdjan CapkunSound-Proof: Usable Two-Factor Authentication Based on Ambient Sound


Web Authentication - PasswordsPasswords are used everywheredespite password weakness7

anaana123anaana123

anaana111anaana111

anaana112anaana112anaana113anaana113anaana123anaana123


Web Authentication - PasswordsPasswords are used everywheredespite password reuse8

anaana123anaana123

anaana123anaana123

anaana123anaana123


Web Authentication - PasswordsPasswords are used everywheredespite password phishing9

anaana123anaana123

anaana123anaana123

www.gooogle.com


Web Authentication - Supplementing PasswordsPasswords are used everywheredespite password reuse, leakage, guessing, phishing, etc.10Two-factor authentication to the rescue (2FA)Password + one-time codeCode must be hard to guessPROBLEM: small user adoption (if optional)Only 25% of Americans use 2FA1Only 6% of 100k Gmail accounts have 2FA enabled21Study by Impermium, 2013 (BusinessWire article, http://goo.gl/NsUCL7) 2Petsas et al., EuroSec 2015

anaana123anaana123

359702359702

anaana123anaana123

????????????


Research QuestionHow to benefit from the added security of 2FA, while keeping the password-only user experience?11


Improving 2FA Usability Software token on the phone 12

Better than HW tokensPhone is always carriedCan accommodate multiple hardware tokensStill requires extra user interactionCognitive load

anaana123anaana123694150694150


Improving 2FA Usability Push-button authentication13

anaana123anaana123Yes / NoMinimize user-phone interactionLittle cognitive loadJust tap a button instead of copying a code

Login attemptYes / No


Improving 2FA Usability Removing User-Phone InteractionCode transfer via short-range communication between phone and laptopLaptop asks for codePhone transfers code to laptopLaptop transfers code to server14

anaana123anaana123

694150694150Code please!


Why Short-range?15

anaana123Code please!694150694150


Short-range communication16

PhoneAuth(Czeskis et al., CCS12)




FBD-WF-WF(Shirvanian et al., NDSS 14)




FBD-WF-WF(Shirvanian et al., NDSS 14)


Improving 2FA Usability Removing User-Phone InteractionCode transfer via short-range communication between phone and laptopLaptop asks for codePhone transfers code to laptopLaptop transfers code to server19

anaana123anaana123

Sensing the environmentPhone and laptop sense the environmentSend the measurement to the serverIf measurements match they are close to each otherMeasurement should be hard to guess!!!

Sense!Sense!


Measurement should be hard to guess!20

anaana123

Sense!


Sensing the environment21

GPS coordinates are easy to guess!!!Sensing the environment



Multi-modal(Shrestha et al., FC 14)



Multi-modal(Shrestha et al., FC 14)

Sound-Proof(Karapanos et al., Usenix 16)


Sound-Proof Overview Take 124

ana, ana123alice, alice123recordrecordMatch?Audio could be privacy-sensitive!!!


Sound-Proof Overview Take 225

ana, ana123alice, alice123recordrecordSimilarity score sLogin authorization(s >? threshold)


Sound-proof in action26


Sound-Proof HighlightsNovel 2FA mechanismSense ambient audio to verify proximityUsable: no user-phone interactionDeployable: compatible with smartphones and major browsers without plugins

Prototype implementation for Android and iOS

Extensive evaluationShowing how Sound-Proof works in a variety of environments, even if the phone is in a pocket or a purse27


Measurement should be hard to guess!28

anaana123Record!

Yes/NoAttacker wins if

matches


Audio ComparisonInspired by human sound recognitionSplit signal in 1/3 octave-bands

Match filtered phone signal against filtered laptop signalComputes a similarity score 0 s 1Checks if s > t (threshold) 29

Which are the important bands?How to set the threshold t?


Audio Collection CampaignEnvironmentoffice, office with music, home with TV, lecture hall, train station, cafLaptopMacBook Pro Mid 2012, Dell E6510PhoneiPhone 5, Google Nexus 4Phone positionoutside, in a pocket, in a purse or rucksackUser activitybeing silent, talking, coughing, whistling304014 audio samples (2007 logins)Tune system parameters to minimizeLegitimate logins rejected (usability)Fraudulent logins not detected (security)


Audio Collection Campaign Results31

Legitimate logins rejectedFraudulent logins not detectedFrequency bands between 50Hz and 4kHzHigher bands suffer from directionality and fadingThreshold t = 0.13 Equal Error Rate = 0.2%

95th %ile75th %ileAverageMedian25th %ile5th %ileLeg. Login rejected


Sound-Proof Vs Goole 2-step verification (user study)3232 participants (no security experts)Within-subject experimentLog-in with Sound-Proof and with Google 2SV (randomized order)Fill System Usability Scale1 (after each login)Score 1-100SUS score (mean)*Sound-Proof91.09 (5.44)Google 2SV79.45 (7.56)

1SUS-A quick and dirty usability scale, J. Brooke, Usability evaluation in industry, 1996*(F(1, 31) = 21.698, p < .001, 2 = .412)


Non-obtrusive Continuous AuthenticationAuthentication should not happen only at loginE.g, banks ask for credentials when authorizing a transaction

https://nymi.com/Hardware-basedRequires sw on the laptop

https://www.behaviosec.com/Mouse movementsKeystrokes dynamicsRequires trainingBehavior subject to changes

http://sound-proof.ch/No sw on the laptopWorks out of the box

33


Sound-Proof Takeaway34Password OnlySizes are purely representative!SecurityAdoptionUsability &DeployabilitySound-ProofSecurityAdoptionUsability &DeployabilityExisting 2FASecurityAdoptionUsability &Deployability


sound-proof.ch35Sound-proof became a start-uphttp://sound-proof.chWorking demoAndroid and iOSDownload the app and try yourself!


36joint work with Claudio Marforio, Nikolaos Karapanos, Kari Kostiainen, and Srdjan CapkunSmartphones as Practical and Secure Location Verification Tokens for Payments


Fraudulent Transactions with Credit/Debit cards371.33 billion euros in 2012160% online23% PoS17% ATM

3D-Secure mitigates online fraud

PoS + ATM fraud?>.5 billion valueChip&Pin improves the situation but attacks have been found2

1European Central Bank: Third Report on Card Fraud (2014)2[BCMSA, S&P 2014]


Research QuestionHow to detect fraudulent transactions at PoS, while keeping the current PoS infrastructureand the traditional (swipe+pin) user experience?38


Fraudulent Transactions with Credit/Debit cards at Point of Sale39Phone as 2nd authentication factorUse phones locationWhen card is swipedApp sends authenticated GPS coordinates Using a key shared with the serverServer authorizes the transaction if phone is close to PoS


Location Verification Legitimate Transaction40

Authorization requestLocation requestLat: 40.417454, Lon: -3.704477Authorize


Location Verification Fraudulent Transaction41

Authorization requestLocation requestLat: 40.417454, Lon: -3.704477Reject



Authorization requestLocation requestLat: 39.913143, Lon: 116.405141

Authorize

Malware on the phone can forge GPS coordinates!


ARM TrustZone43HW support for securityARM TrustZoneAvailable on (almost) every smartphoneLong history, little use (e.g., subsidy lock)Currently not open for developmentEmerging standard to open it up

Isolate apps from OS!OS compromise does not affect TEE applications

TPM-like servicesattestation, secure storage, etc.

TrustZone


ARM TrustZone44

Application processorBasebandprocessorBaseband OSSIM

Androidappapp

Trusted OS

Kernelbug

app

Normal worldSecure world

Normal WorldAndroid + Apps Android is big and has bugs

Secure World - Trusted OS + Apps - Trusted OS is small- Less chances of compromise



Authorization requestLocation requestLat: 40.417454, Lon: -3.704477

Reject

Even if OS is compromised, the adversary cannot forge GPS coordinates


PrototypeARM TrustZone not open for development400MHz TrustZone-enabled Cortex-A9 processorSW: Sierra Open Virtualization1NW: Android 4.1.1App 150LoCHMAC-256 on GPS coord. 3msSamsung Galaxy S3

46

1http://www.openvirtualization.org/


Office Test Feasibility47


Field Study48


Field StudyTolerable delay (~4 seconds)Enough accuracy to distinguish nearby shopsIndoor reception better than expectedFemtocells in tunnels,

No user interaction requiredNo privacy leakThe bank knows transaction location for legitimate transactions

49


TakeawaySmartphones are a formidable tool to secure applicationsNot the app on your phone!

Key challenges areTime-to-marketSolutions that cannot be used today have little valueUsabilityIf hard to use, no-one will use it

In this talk(web-based) Second-factor AuthenticationTransactions at Point of Sales

50


Thank You!51

http://www.tid.es/research/researchers/claudio-soriente

[email protected]


Protección de aplicaciones con dispositivos móviles

Technology

Transcript of Protección de aplicaciones con dispositivos móviles