Smartphone Applications – Common Criteria is going mobile

International Common Criteria Conference, Paris, France. September 18-20, 2012. Smartphones are a growing, fast moving field of IT. Although smartphones and their applications are omnipresent and potentially violating security, its development cycle is not yet tackled by application evaluation thoroughly.

From the common criteria viewpoint, major obstacles for evaluation are the lack of platform assurance and obligation of user guidance. Smartphone platforms offer basic means of isolation. The smartphone user can review a set of permissible operations before application installation, e.g. as much as 74 permission types in Android. Is such authorization approach viable to prevent security breaches? The Common Criteria perspective of reviewing the security architecture (ADV_ARC) and guidance documents (AGD) will identify its potential and limitations. We consider typical attack paths with the evaluation activities. How effectively are vulnerabilities (AVA) countered without platform guarantees?

Smartphone applications potentially invade security of society. The Common Criteria are a well suited tool for evaluation of such smartphone applications. This talk will identify the applicability of the Common Criteria approach and discuss evaluation issues of this field.

 

References

http://www.enisa.europa.eu/activities/application-security/smartphone-security-1
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
http://www.malgenomeproject.org/

  • K. Wain Yee Au, et. al. A Look at SmartPhone Permission Models, SPSM, 2011.
  • A. Alkassar, et. al. Sicherheitskern€ für Smartphones: Ansätze und Lösungen, DuD, 2012.
  • D. Barerra. Secure Software Installation on Smartphones, S&P, 2011.
  • M. Becher: Security of Smartphones at the Dawn of their Ubiquitousness. PhD Thesis (in German), University of Mannheim, 2009.
  • B. Dodson, et. al. Secure, Consumer-Friendly Web Authentication and Payments with a Phone. MobiCASE, 2010.
  • W. Enck. Defending Users Against Smartphone Apps: Techniques and Future Directions, ICISS, 2011.
  • W. Enck. Understanding Android Security, S&P, 2009.
  • M. Grace, et. al. Systematic Detection of Capability Leaks in Stock Android Smartphones, NDSS 2012, 2012.
  • S. Hallsteinsen, I. Jorstad, and D. Van Thanh. Using the mobile phone as a security token for unified authentication. ICSNC, 2007.
  • D. Kleidermacher. Bringing Security to Android-based Devices. Information Quaterly, issue 32.
  • C. R. Mulliner: Security of Smart Phones, Master Thesis, UCL, 2006.
  • S. Schrittwieser, et. al. Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications, NDSS, 2011.
  • A. Shabtai, et. al. Google Android: A State-of-the-Art Review of Security Mechanisms, CoRR Dagstuhl, 2009.
  • A. Porter Felt, et. al. Android Permissions Demystified, CCS, 2011.
  • A. Porter Felt, et. al. The Effectiveness of Application Permissions, USENIX, 2011.
  • D. Wallach: Smartphone Security: Trends and Predictions. SecAppDev 2011
  • Y. Zhou, X. Jiang. Dissecting Android Malware: Characterization and Evolution, P&S, 2012
This entry was posted in Assurance, Talks. Bookmark the permalink.