Problems with Mobile Security #1

Mobile ticketing, m-commerce, secure messaging, corporate applications, government communications, e-money, the list goes on of things that would be great to do on mobile - as long as they really were secure.

So, security on our phones, and we'd like to use publicly endorsed standards - 10 out of 10 security experts prefer it and describe any non-standard (proprietary) security as "Snake-Oil".

Q: HTTPS/SSL is used for e-commerce everywhere, why not use it for mobile-commerce?

A: a number of issues make it impractical for mass-market mobile use:

1. Not available on all phones
   MIDP1 phones don't support SSL connections. MIDP1 represents fewer than half of the JAVA enabled phones in circulation in the West, but a significant number and a greater proportion in the developing world where used handsets are popular. To develop systems that won't run on these handsets is to needlessly cut down your potential user-base.
   
   
2. Out of Date Symmetric Ciphers
   Some handsets have built in HTTPS/SSL for their browsers and many handsets use the easiest to develop, and alas the oldest ciphers in their SSL/HTTPS. Some of these ciphers have known vulnerabilities, and should not be added to new systems, for example RC4. US Govt CERT Advisory: SSL/RC4 passwords easily crackable; solution: Do not use RC4 encryption.
   This is alarming as most mobile browsers which have SSH/HTTPS only use RC4. Try connecting to your bank, and look at the page/connection security details, and I'll bet it says that you are using RC4. It should be retired, not built into brand new systems.
   "RC4 encryption algorithm is not a Federal Information Processing (FIPS) standard and probably won't ever be because network professionals see RC4 as rather weak in terms of message authentication and integrity." - William Burr of NIST
   
   
3. Only secures TCP data
   The built in SSL/HTTPS cannot be used to add encryption to locally stored data, SMS, MMS, Bluetooth, IrDA or any other connections used by the mobile device, so anything you are doing on these channels is in the clear. This non-TCP data is important because many users don't always have the correct data settings for java networking, or know how to use them, and you can greatly help them by being able to "fall-back" to encrypted SMS to make your purchase, as you will find in our latest apps. We will cover networking issues in a later blog post. Also people have attacked and opened the RMS data stores on phones, so your stored details are not safe unless you have taken extra steps beyond standard MIDP behaviour.
   
   
4. Certificate Problems
   Many handsets don't have a full complement of root certification authority certificates installed. This means that your HTTPS server certificate will often not be recognised as a properly authenticated cert (throwing worrying messages to the user, and completely voiding the trust relationships that make SSL/HTTPS useful), and the phone will NOT CONNECT AT ALL to your server from Java as invalid and self-signed certificate warnings are not fed to the user when the connection is made. For example one of our test applications was unable to connect to the major and popular London Underground Oyster site, or the Barclays bank websites on most Nokias, because of certificate issues.
   It is impossible on almost all handsets to install any new certificates, so regardless of the technical abilities of your users or support teams you will not be able to overcome this issue; the FAQ site for Opera mini also acknowledges this issue.
   One final confusion: the original phone model from the handset manufacturer may have contained a valid Verisign or Thawte root cert, but sometimes the mobile network operator will remove that and put in their own certificates instead at the customisation stage, so you can't reliably know what certs are installed even if you are sure which model of handset you are talking to.
   


5. Slow to initiate
   HTTPS and SSL require several connections to establish a secure session. On a fast PC network with low ping times this isn't much of a problem as the amount of data sent is tiny. However on a phone with two second ping times, commonly up to six seconds, each connection (regardless of amount of data) takes serious time to travel to the server and back. On many handsets the cryptography required on the handset side can also cause delays - in our experience up to eight seconds on the encryption alone, even on a recent MIDP2 Nokia.
   
   


6. Vulnerabilities in WTLS/Secure WAP - also not end-to-end
   Most handsets implement WTLS (Wireless Transport Layer Security protocol). This is similar in intent to SSL, but with some bits chopped out to make it easier for phones to use with their limited memory and small CPU. Once the data gets to the WAP gateway it is decrypted and then re-encrypted into an SSL/HTTPS session to the destination server on the internet.
   Unfortunately the protocol allows the use of very weak, or no encryption at all between the phone and the WAP gateway. There are several known cryptographic attacks on WTLS too, detailed here.
   Worse, the data is all in plaintext within the WAP gateway i.e. this does not constitute end-to-end encryption - it relies on network engineers not to read or sell your data, unknown 3rd parties to maintain the server security, and defend the WAP gateway from compromise.
   
   The risks of leaving your data in plaintext at the WAP gateway (or anywhere inside the mobile network) are wonderfully demonstrated by the recent revelations that hackers have gone undetected inside mobile networks for years - see stories of accidental discovery of long term hackers in Vodafone Greece and T-Mobile, and also of network engineers snooping at user data passing through their systems for romantic reasons.
   
   [Open question to readers, because I'm suspicious but not sure: when using the default WAP Gateway, not an Internet Gateway, for your mobile data connection, are you able to use full end-to-end HTTPS or does the WAP/UDP protocol drag everything down to WTLS? If it did, all your WAP based banking may well be clear-text in the Wap gateway.]
   

Q: What about Opera Mini - the advanced one for MIDP2 that has some security built in, can't we just do e-commerce through that?

A: It's not end-to-end encrypted - so you have to trust Opera's engineers, servers, sysadmins and maintenance contractors with your plain-text passwords and credit cards. Again they chose to use the RC4 cipher of all things, which should be retired, not built into new products.
In good news though, they do seed their Random Number Generator correctly, which is disappointingly rare in mobile security.


Q: What about SMS - internet based hackers can't see them, as they are all in the Mobile Network Operator's walled gardens?

A: Same problems as WTLS, because network engineers, 3rd party service technicians, servers, and base stations in the Mobile Networks are not policed to PCI DSS standards (required for sending/processing credit cards).
Additionally an SMS may not just be going through the UK networks that have familiar brand names. SMS's are often transferred internationally across the Wild Wild Web through various companies that you have never heard of, and may originate or terminate in some very odd countries where you wouldn't dream of leaving your credit card.
The infamous case of bored network engineers poking through other people's MMS pictures of naked girlfriends (and forwarding them on) is nothing compared to what may happen when and if large amounts of credit card data start to get sent through SMS messages. After the case of O2 engineers abusing their access to SMS messages, analysts Gartner said "The contents of SMS messages are known to the network operator's systems and personnel. Therefore, SMS is not an appropriate technology for secure communications. Most users do not realise how easy it may be to intercept".
If I was thinking like a hacker or spy, the first thing I would do is place logging hardware in a few base-stations, which see plenty of data passing through them. Lawyers, government ministers and top business people leak enough valuable information without throwing credit cards into the mix. It should also be pointed out that it is child's play to fake the sender number of an SMS.


Q: What about the open source Bouncy Castle Light Crypto Libraries?

A: A jolly good start, but they're not THAT light. Adding a simple security system using Bouncy Castle with Asymmetric Key exchange, a Symmetric session cipher and a Random Number Generator (the bare minimum for secure comms) adds over 22Kb to the basic app, even after you've stripped unused code and obfuscated it. With the very oldest handsets having JAR size limits of 29Kb - such as the Nokia 6310i, which despite its age is still very popular, people clinging to it like limpets and some major companies still issuing them NEW to their executives (we learned in a recent meeting). Common MIDP1 handsets have 64Kb limits - Playtech saw more than 1 in 10 downloads go to these handsets in the first half of 2007, a substantial market share. Most of the work in mobile dev is making things small, and use as little memory as possible, so that you've got plenty of room for pictures and text and all that code that needs to glue it all together smoothly.

---

What a moaning session! I do apologise, but there's no point beating about the bush.

Solution: (a suggestion, not the only solution)

To reliably create encrypted sessions from mobile you have to build a truly lightweight encryption/decryption system into your applications. This allows you to support every possible phone and also control the choice of cipher, the encryption strength, and eliminate certificate incompatibilities. It also allows you to encrypt data stored on the handset, SMS messages, or communication on other channels, which HTTPS and SSH do not.

This is why Masabi built EncryptME, a 3KB security component for J2ME that allows all phones to make encrypted connections over SMS, GPRS, WiFi or just about anything else. EncryptME is also US Government verified and certified, so you don't have to take the our word for it that it does what it says on the tin. It provides 1024bit RSA, 256bit AES and an approved RNG, if you were wondering.

Additionally, by being standards compliant you can continue to use standard server cryptography components, for example those from Sun, Microsoft or our friends Bouncy Castle. Even against phones with built in SSL/HTTPS, EncryptME is between 6 and 20 times faster on a mobile in live tests.

And good choice of algorithms isn't enough! You must use them in a wise way with user education, good seeding, padding, key management, and protection against replays, insertions, concatenations, man in the middle, phishing and all manner of other attacks that cryptography alone will not solve - but that's another story, to be entitled "When good crypto goes bad".

Good Examples:

• Opera Mini Advanced: MIDP2 only, but has their own crypto with proper RNG seeding. Well done, apart from lack of end-to-end and use of RC4.
  


• Playtech Online Casino: supports almost all MIDP phones, built in encryption, 1024bit RSA and 256bit AES, with player key-strokes during gameplay used to seed RNG.

Bad Examples:

• Opera Mini Basic: no encryption, but allows users to interact with their secure HTTPS banking sites while sending cleartext usernames, passwords or credit cards over the internet. To be fair they do admit it here with a good diagram.
  


• Mobile java apps that rely on SSL or HTTPS - they won't work in all cases, and slow down user interaction where they do work.
  
  
• Plaintext SMS apps which invite you to send Credit Cards or other sensitive data.
  
  
• Anything using "security through obscurity" or "snake oil" where they don't reveal what they do to protect your data.
  Also a special mention for the use of the word "patented" in security. It may help to raise a company's valuation in the eyes of Venture Capitalists and investors, but to a cryptographer (or hacker) "patented" doesn't mean safer, or correct, or even clever. It only really says that someone has sent it on a piece of paper to their local Patent Office and can be a good hint that very few people have had the chance to check it and test it, especially if this patented technology is only used by one or two companies.
  In Java reverse compiling (reverse engineering) end user applications is pretty straightforward, so the secrets will come out pretty quick as soon as someone takes an interest in your product.
  

---

I hope that gives you some idea about security on current generation mobiles. My next post will cover getting good Entropy for your secure random number generator on mobile, a need highlighted in a timely fashion by Brian at Mobile Crunch.

Comments: there are no completely secure systems in the world, and security only gets better through challenging, discussion, testing, probing and questioning. Please post your questions or corrections if you have any, and I'll do my best to respond, or correct mistakes/omissions as they are pointed out.
Also please feel free to post good examples of clear and honest mobile security if you've seen some, but don't be surprised if we start poking them and asking questions back at you!

September 12th - Cambridge Wireless event: "Money Talks"

Money Talks! Have you ever sat at a mobile conference listening to a speaker and thinking 'Okay, but how can we make money out of this'?

12th September 2007 I'll be at Gonvile and Caius College in Cambridge giving a presentation about:

• Our experiences rolling out mobile applications with financial transactions in them
• Dealing with multiple languages and currencies
• Security requirements for mobile commerce, and common problems
• Security solutions for mobile commerce that attendees can use to monetise their products
• Demonstrating EncryptME, our 3kb RSA/AES security component for mobiles (of course)

Go to Cambridge Wireless website for more details, and feel free to come along!

A Mobile Software Primer

I originally started this post to talk about mobile statistics, and particularly the difficulties I had coming up with a nice graph to show the relative popularities of the different mobile software platforms - Java, Flash Lite etc.



The more I wrote, the more I realised that what I was writing made no sense without background information - and before I knew it, most of the post was background. So I changed the title and now have what I feel to be quite a fitting first serious blog post - a primer document explaining a little about the world of mobile software.

The Mobile World

The mobile world is not homogenous. The first big split to be aware of is the separation between the GSM and CDMA network technology families, with CDMA popular in the US and GSM used in most of the rest of the world (~73% in 2005). However, GSM is used in the US and CDMA is used in some other countries, so it's hard to be precise!

Many CDMA phones use the BREW platform for downloadable content, whilst most GSM handsets capable of accepting 3rd party software support Java. BREW content must go through operator approval and is not suitable for guerrilla marketing or free content; Java content can generally be written and downloaded by anyone, though in some countries (eg. US) some networks choose to limit its power or availability.

Two countries stand out as being completely different: Japan and South Korea, the two most advanced mobile markets in the world. Japan is split between three operators pursuing different strategies, by far the largest being DoCoMo with its own flavour of Java, DoJa, that is open for any developer; KDDI use BREW and Softbank use standard MIDP Java but all content must be approved by them before installation. South Korea has a government-backed software platform, Wipi, available only in Korean and subject to tight operator controls, effectively prohibiting non-Korean companies from accessing that market.

The US also stands out, because it is a complex mix - its largest networks include a CDMA network where BREW is used, Verizon; a CDMA network using Java, Sprint; a handful of GSM networks (AT&T, T-Mobile); and many smaller networks using a range of network technologies. Software distribution is therefore also complex.

One final thing to note is that different platforms have different strengths around the world. BREW is mainly a US-focussed technology, though it is available on at least one network in "30+" countries round the world - because of the closed distribution we won't deal with it much here. Palm is virtually unheard of outside the US; Nokia's smartphone platform, Series 60 (based on the Symbian operating system) is much stronger in Europe, and Japan is dominated by DoCoMo's decision to base all of its handsets on either Symbian or Linux buried underneath their own abstraction layer. Handset use is similarly varied - SMS has traditionally been unpopular in the US, the Japanese use e-mails instead of text messages, etc. Never make assumptions!

Software Platforms

The platforms mentioned so far, Java and BREW, are by far the biggest. Here's a full overview of the competing technologies (note for non-technical readers: it does get a little technical in places and can certainly be acronym-heavy, but hopefully it should still hold together if you skim past the bits where your eyes glaze!):

• Java - in almost all the world this means MIDP, a 'profile' of Java Micro-Edition designed for phones. When people say "Java content", they almost certainly mean MIDP JavaME.
  
• Java content is downloaded through a browser, and then lives on the phone; it can be run at any time, even when the network is not connected;
• There are numerous extensions to Java to do special things like take photos with the camera, display 3D graphics and make payments using your phone bill - availability of these extensions varies;
• Distribution can be through a browser and often also over Bluetooth/Infrared or through a PC sync cable.
  
• Flash lite - a cut-down variant of Flash available on some high-end mobile phones, this comes in two semi-compatible versions (1.x and 2.x) and can be run in three different ways:
• Some handsets only support standalone content (like Java);
• Some handsets only support Flash embedded in a browser page (like a PC), and often the browser prevents the Flash from using the direction keys which instead scroll the page (common in Japan);
• Some handsets allow Flash to be used on menus and screensavers, whilst some only use it on menus (like the Samsung D600).
• Symbian - the biggest smartphone platform, many Symbian OS handsets can accept content written in C++ that can access a wide range of platform features.
• New versions of the operating system have not been backwards compatible, so software must be recompiled and must now be sent to Symbian for 'signing' before distribution is possible;
• There are two main variations of Symbian in the West - Series 60 promoted by Nokia, and UIQ now owned by Sony-Ericsson; a third version is sold in Japan and does not accept any Symbian content at all.
• Windows Mobile - Microsoft's mobile operating system has grown from very humble beginnings into a respectable platform, and much like Symbian can be extended with C++ code or a cut-down version of .Net. Backwards compatibility is better than Symbian.
• Linux - there is no single "mobile Linux" (yet); currently, there are a wide number of variants, some of which are open to 3rd party software and some of which are locked down and cannot accept any.
• Mobile AJAX - the iPhone has popularised the idea of AJAX on mobile phones, but despite promise for the future this is in its infancy
  
• One day it should be viable on mobile networks, but this will require flat rate data tariffs and much faster connections;
• There are a large number of browsers, all with subtly different implementations, and no good frameworks yet to abstract them and make development easy;
  
• For a full critique see here (among others).
• Widgets - a number of companies are pushing widget platforms for mobile, notably Nokia with the Java-based Widsets that run on a lot of high-end phones.
  

One key thing to remember here is that many of the criticisms aimed at one platform or another are actually just common to mobile phones in general - in particular fragmentation and device bugs.

The mobile handset is one of the fastest moving, most complex consumer electronics markets in the world - a bewildering array of devices are released every month, all with differing specs, and all with release dates specified by the marketing department who have booked advertising well in advance. This is a QA department's nightmare, so handsets ship with bugs - and firmware upgrades are risky and cumbersome, so they often go unpatched. Every platform will have bugs; if it hasn't got many yet, it is too young and too small.

Even if there were no bugs, fragmentation is guaranteed when you have such a bewildering variety of screen sizes and methods of communicating with the device. Some have touchscreens, some numeric keypads, others full QWERTY keyboards or custom thumbpads. The Nokia N95 has a 5Mp camera, the E61 has none; the Motorola Z8 can expand to 32Gb of storage, the original RAZR has 5Mb. Sony-Ericsson use dedicated Back and Clear keys, Nokia phones have neither. Even the layout and usage of basic keys can be different. Here is a diagram comparing all of the resolutions of screen Nokia currently has on the market - just try designing graphics for a single app, or one wap site, to run on all of them:



These problems are manageable if you understand them in advance - though more so on a mature platform like Java (sticking to core APIs) then on a bleeding-edge beta platform like Mobile AJAX.

Lots of Platforms - But Who Can They Reach?

Mobile handset statistics are notoriously difficult to obtain. Starting from a blank slate, you have three basic choices:

1. Pay a lot of money for comprehensive breakdowns of some key markets, from research companies like m:metrics. These give the best overview of what is being used today on networks, but you have to keep the stats secret :)
   
2. Access public statistics from content portals (most don't offer these). It is very important to note that portal statistics have built-in bias - they reflect what was downloaded, but that is shaped by what is available. Platforms which are easier to develop for can get flooded with software, and therefore generate more downloads, leaving other users out in the cold. Also some portals, for example the free content site GetJar (and associated stats site MobRef) tends to offer a lot of, ahem, pictorial content and so gets heavy hits from people with larger screens. As it were. There's also a strong smartphone bias as people searching down that site are likely to have bought their smartphone specifically to run 3rd party software on it.
   
3. Try to collate phone shipment statistics. These tell you relatively accurately how many devices each manufacturer is shipping, but you don't tend to get any more granularity than that - and LG or Samsung in particular have a nearly incomprehensible platform strategy with many incompatible handsets. Also, many users do not upgrade every year so knowing how many handsets shipped this month, quarter or year does not actually give you a true picture of what is being used in the market today. Breakdowns by country are also near impossible to get, and you have to take what you can get with time periods because what you can find (without purchasing reports) won't be what you need.
   

Often the best source of statistics is to just look at your weblogs though. This will tell you what types of people are trying to access your content, and over time will generate some more usable information.

Tracking Down Some Figures

For our latest website revision, I wanted a graph comparing the market penetration of the different software platforms, with figures that could be verified by anyone using public web resources I could link to. This proved difficult, but I'll explain the process I went through below.

Shipment figures usually come out some time in arrears, so for this exercise we'll look at shipments across the whole of 2006. A good starting point is Canalsys, who do quite detailed
breakdowns of the smartphone segment of the market - in 2006 smartphones accounted for only 64m (under 7%) of the 1bn handsets shipped, but platforms outside of Java are very tied to smartphones.

The Canalsys report immediately tells us the OS-based market shares: Windows Mobile accounted for 14% of smartphones (~9m), Linux was 6% (~4m) and Symbian totalled 67% (~43m). We can further breakdown Symbian - Nokia shipped 50% of smartphones and they (basically) only ship S60, which means 32m of those were S60 and 11m must be split between UIQ and the Japanese locked-down Symbian. The report reveals that Sony-Ericsson shipped nearly 1.2m devices, most of which were in Japan - these days Sony-Ericsson basically account for all UIQ shipments, so it should be safe to assume that at most 1m were UIQ and the other 10m are locked-down Japanese Symbian phones, not able to access 3rd party content. As a quick sanity check, I found that Symbian claim they have now shipped 20m phones in Japan and the second 10m took only a year, which tallies.

For Flash Lite stats, we can look to Adobe who are keen to buff up their credentials - Vision Mobile has done a nice summary of various Adobe sources here. First thing that struck me - Adobe predict 1bn devices cumulatively shipped by 2010; in contrast, Sun state 2.1bn Java handsets have already shipped and predict 1bn new devices will ship just next year. But I digress. Adobe/Vision Mobile are claiming 220m "Flash-Lite-enabled devices shipped by end of 2006 (includes mobile handsets, PDAs and consumer electronics)". Two problems - we're trying to compare like-for-like, so we just want 2006 shipments of mobile phones - ignoring unconnected PDAs and consumer electronics, and ignoring pre-2006. My gut also says that this may be a misquote, and it might mean 220m devices could run Flash Lite - it only really started to be embedded in handsets (as opposed to purchased/downloaded by users) in early 2006 outside of Japan, which had 20m Flash handsets at this point.

So what to do? Check out Adobe last financial briefing in detail - and it turns out you can guesstimate the shipments from the mobile PDF's graph on page 13 - by my count, 151m across 2006 (15% of all devices shipped), a massive increase on 2005. There's no way to tell how many of these were mobile handsets, and furthermore which were like the Samsung D600 (Flash sometimes used for menus but not available to end users) and which actually had it in a usable form, so we'll be charitable and assume all of them (this page gives some hints but no stats).

AJAX is available on mobile platforms inspires a huge amount of hype and very little hard fact. Firstly, you can get it in two main forms - with the Safari browser available on Nokia S60 3rd edition phones and the iPhone, and with Opera Mobile for Windows Mobile, S60 and UIQ ($30 to download, but shipped as standard on some devices). Opera Mini, the incredibly popular Java browser that runs across most Java handsets, does not feature AJAX (as of the current v4) - it does do some clever server stuff to simulate some AJAX features though. Many incorrect blog posts and articles have been written about this, and Opera keep their FAQs vague. There are some other attempts to bring AJAX and widgets to mobile but they aren't simple adaptions fo AJAX ont eh web so we'll ignore them here.

AJAX was added to Opera Mobile in early 2006 - Online Reporter presents a good overview of the key platforms and claims 17m AJAX-capable Opera browsers shipped that year. The iPhones is too recent to appear on our comparison (half a million shipments in the first week is impressive but actually negligible on the scale we're working to); S60 3rd edition handsets started shipping in March 06 and the S60 blog claims that by mid-2007 they had shipped 50m units (possibly using some dubious maths), so lets split the difference and say there were 25m shipped in 2006. This gives us approximately 42m AJAX devices in 2006.

This leaves us with Java, which turns out to be the hardest. Sun probably know, but they aren't telling. Stats for many years ago are easy enough to find, but no use - so I had to resort to guesswork. I started by looking at the handset shipments for the year and make estimates based on a gut feeling for what each manufacturer ships - the big 5 account for ~807m shipments in 2006; we know most Nokias/Motorolas (except for the emerging market devices) and almost every Sony-Ericsson will have Java; many Samsungs and a lot of LGs also have it (but in their home market they use Wipi and that accounts for maybe 75% of the 40m phones used there). Many of the "Others" also have Java, eg. most Windows devices (such as all those made by HTC,the biggest Windows white label manufacturer). We also know Sun reckon that 2007 will see nearly a billion Java phones shipped, so a figure round the 700-750m mark would seem quite reasonable in the absence of anything more reliable. I hate this kind of guesstimate but it's currently the best I can come up with.

So we end up with a nice comparison graphic for handsets shipped in 2006:


Some more up-to-date figures would have been nice but hopefully the protracted analysis made it obvious that it's extremely difficult to reliably obtain even older statistics. It's always worth remembering that these are only approximate figures anyway - broad trends can help you pick the right platform, and once your product is out that's the best guide you can have.