Вы находитесь на странице: 1из 27

Feature Language Support Encryption APIs

Operating System
iPhone OS iPhone Apps can only be iPhone provides a Common Crypto
developed in Objective-C. The library in the libSystem dynamic
applications can invoke C library. CFNetwork is a high-level
libraries and C code. API that can be used by
applications to create and maintain
secure data streams
and to add authentication
information to a message.
Block Encryption and decryption is
also supported by the Supported
by the Certificate, Key and Trust
Services API. Storage encryption
can be achieved using KeyChain
API.

Blackberry The BlackBerry device The RIM crypto API supports a wide
supports MIDlets (Java range of asymmetric, symmetric
applications that use and hashing algorithms. It has a
standard MIDP and CLDC APIs Key Store API and a Messaging API
only) and Java applications that is CMS compliant.
that use the BlackBerry APIs.
Android All apps are written in Java Does not have support for device-
and executed within a custom level encryption. However,
JVM called Dalvik Virtual supports the javax.crypto API for
Machine. Development in C is creating encryption capable
possible but apps have to be applications. Bouncycastle's J2ME
externally compiled and then provider comes bundled with
loaded. Android.

Symbian Platform Applications can be Supports the Security and Trust


developed for Symbian using Services API (SATSA) for Java ME
C++ or J2ME. that defines a set of APIs that
Using Symbian's Web allows applications to
Runtime Tools that support communicate with and access
HTML/ JavaScript/ CSS, web functionality, secure storage and
applications can be cryptographic operations provided
developed, distributed and by security elements. Supports the
installed on Symbian devices. SATSA-CRYPTO package to enable
symmentric and asymmetric
cryptography.

Also has C++ classes for OS based


encryption and decryption.
Another alternative is use of
Bouncycastle's Lightweight Crypto
API.
Windows Phone Third-paty applications can be Windows Mobile provides
developed for Windows Phone cryptography services that enable
by application developers to add
- writing native code with cryptographic security to their
Visual C++ applications. These are available in
- writing Managed code that the form of Cryptography APIs and
works with the .NET Compact Cryptographic Service Providers
Framework (CSP).
- Server-side code that can be
deployed using Internet Windows Phone also supports
Explorer Mobile or a mobile Device Encryption which allows
client on the user's device. encryption os internal as well as
There is no J2ME version for external memory cards using a
Windows Phone. password that is itself encrypted
and stored using the Device Lock
PIN.
Certificate Management SSL/ TLS support

iPhone provides the the Keychain Supports TLS/ SSL. Also has a
Services API and the Certificate, CFNetwork API, a high-level C API
Key, and Trust services API, whichthat makes it easy to create,
in turn communicate with the send, and receive serialized HTTP
internal Security Server. messages.
Because CFNetwork is built on
In iPhone OS, an application can top of Secure Transport, data
access only its own items in the stream can be encrypted using
keychain—the user is never asked any of a variety
for permission or for a password. of SSL or TLS protocol versions.

The RIM crypto API provides a Data can be encrypted over


Certificate Management API and a SSL/TLS for the entire connection
Key Store API. between BlackBerry
smartphones and the application
server. The RIM crypto API
provides a WTLS and a TLS API.
Supports java.security.cert Supports javax.net.ssl package
package that provides all the that provides all the classes and
classes and all the interfaces interfaces needed to implement
needed to generate, administer and program the Secure Socket
and verify X.509 certificates. abstraction based on the SSL
protocol SSSLv3.0 or TLSv1.2.

OpenSSL is also available on


Android as a standard
component. The Android
javax.net.ssl package uses the
OpenSSL Library to implement
the low level SSL functionality.

Certificate and Key Management Symbian Platform SSL/ TLS client


is supported through the SATSA functionality through both native
PKI UserCredentialManagement C++ API provided by the OS and
class. through MIDP.

Another alternative is use of


Bouncycastle's Lightweight Crypto
API.
Windows mobile provides a Windows Mobile device shas
Credential Manager that consists inbuilt SSL support for HTTP
of a set of APIs that applications protocol. Its NATIVE SSL support
can use to cache and obtain is however lacking as one socket
cached credentials. The supported can only receive and send at one
Credential types include time. So for full duplex
Certificates. connection two SSL sockets are
Windows Mobile only supports needed.
client certificates using its
wireless authentication
components. Machine certificates
are not supported.
VPN Support Authentication Support

In iPhone OS, there is no API for The iPhone OS security services


Secure Transport. CFNetwork API do not provide an authentication
is used for secure connections. interface. It relies on the device's
PIN for Authentication.

Supports VPN functionality only By default, Blackberry supports


through a Blackberry Enterprise simple password device
Server. Does not have a bundled authentication. Server-side strong
VPN client that can connect to authentication can be built into
third-party VPN servers. applications using J2ME and the
RIM crypto API.
The supported types of VPN are Supports
- L2TP/IPSEC pre-shared key javax.security.auth.plugin
based VPN package that provides a
- L2TP/IPsec certificate based pluggable and stackable
VPN authentication system based on
- L2TP only VPN ideas and concepts from the Unix-
- PPTP only VPN PAM module.

Also, a VPN client for openvpn is


available but it requires root
access to the phone to be
started.

Vpnclient software is used to Authentication is supported


establish secure connections through the SATSA PKI
from a mobile device to CMSMessageSignatureService
protected networks (e.g. a class. This class provides an
company intranet) over insecure authenticate method that can be
networks such as the Internet. used to invoke DSC based
Vpnclient is based on open authentication capability on the
standards and it can be used underlying device.
with various security gateways Password-based authentication
produced by different vendors. can be supported using the
standard J2ME Authenticator
Symbian also supports IPSec. class.
By default, Windows Mobile To achieve network
supports virtual private authentication the Windows
networking (VPN), Mobile Security Support Provider
using either Layer Two Tunneling Interface (SSPI) allows
Protocol with Internet Protocol applications to access DLLs —
Security encryption (LT2P/IPSec) called Security Support Providers
or Point-to-Point Tunneling (SSPs) — that provide common
Protocol (PPTP). authentication protocols like
Kerberos, NTLM and SSL.
Additionally, Windows Mobile-
based devices can dial into
Remote Access Servers by using
one of the following
authentication protocols:
- Password Authentication
Protocol (PAP)
- Challenge Handshake
Authentication Protocol (CHAP)
- Microsoft CHAP v1 & 2
Digital Signatures Authorization

Supported by the Certificate, Key The iPhone OS security services


and Trust Services API. iPhone do not provide an authorization
has Apple's Fast Elliptic interface. It relies on the
Encryption (FEE) implementation sandboxing to achieve this. Each
that has a small memory application is put in a sandbox
footprint. that restricts the application to
using only its own files
and preferences, and limits the
system resources to which the
application has access.

Digital Signatures are supported BlackBerry applications can write


through Core Crypto API or only to the BlackBerry
through the CMS API which is devicecmemory that the
PKCS #7 compliant. Supports EC BlackBerry® Java® Virtual
based cryptosystems. Machine uses; they cannot
access the virtual memory or the
persistent storage of
other applications unless they
are specifically granted access to
do so through the use of special
Blackberry APIs. Research In
Motion must digitally
sign a BlackBerry Java
Application that uses these
BlackBerry APIs, to provide an
audit trail of applications that
use sensitive
APIs.
BouncyCastle has a J2ME provider The Android manifest file allows
that can be used on Android. This developers to define an access
provider comes bundled with control policy for access to
Android however certain components
algorithms like EC do not seem to - Each component can be
be working. This will have to be assigned an access permission
investigated further. label
- Each application requests a list
of permission labels which are
fixed at install

When an application requests


permissions to access other
applications or OS features, the
OS either automatically allows or
disallows based on certificates or
prompts the user.

Digital Signatures are supported Symbian platform has a UNIX-


through the SATSA PKI style capability model
CMSMessageSignatureService (permissions per process, not
class. This class provides a sign per object).
method that can be used to
invoke signature capability on the Symbian supports Data caging
underlying device. The signatures which means that the
are generated in accordance with applications and the users have
CMS - PKCS #7. access only to certain areas of
Currently, Symbian Platform does the file system. In practice the
not support ECC. applications can access their
own private directories and
directories that are marked as
open.
Privileges can be granted by
user at installation time, through
being Symbian signed or by
device manufacturer.
Digital Signatures based upon Windows Phone has the concept
RSA are supported. of Normal and Privileged
applications.

Normal applications cannot


access protected registry keys
and system APIs.

Privileged Applications can


access all registry keys and all
system APIs and can install
certificates on the device.
Privileged applications can
switch to run kernel mode.
Privilege is assigned to
processes rather than to
modules.
Application Deployment

Digital signatures are required on


all applications for iPhone OS. The
developer first signs an application.
It is then signed by Apple.

An application that
hasn’t been signed by Apple will not
execute.

(The BlackBerry device allows the


downloading of all third-party Java
applications by default.
BlackBerry smartphone applications
using the RIM crypto API require
developers to sign and register
their applications with Research In
Motion (RIM).
All Android applications (.apk files)
must be signed with a certificate
whose private key is held by their
developer. This certificate identifies
the author of the application and
may even be self-signed.

Digital signatures by Symbian are


required on all trusted applications
for Symbian OS. These are applied
through the Symbian Signed
program.

An application that
hasn’t been signed by Symbian will
be an untrusted application.
Windows Mobile devices are
available in several security
configurations. The typical
configurations are locked, third-
party signed, prompt, and security-
off.

Windows Phone has the concept of


Normal, Privileged and Blocked
applications. Privileged
applications are those that are
signed using a Certificate available
in the Privileged Execution Trust
Authorities Store. Privileged
applications can be created by
getting them signed by Verisign -
a Microsoft Partner.
S.No Category
Software Modification Threats
1

2 Data Threats

Threats due to Malware

4 DoS Attacks
5 Messaging based Attacks

6 Threats due to OS Vulnerabilities

7
Threat Description
Attack via faulty or illegal privileged Moderate
code extensions

Data extraction from Lost/ stolen


devices

Viruses, Worms, Trojans


Spyware
Rootkits
Jailbreaking
social engineering attacks

Data Theft Taking someone’s pictures, messages,


phonebook or file data without the
permission of the owner

Copyright Abuse Violating paid for content – e.g. by


recording and distributing pay-per-
view films
Device Theft phones are a highly lucrative item and
phone theft is a massive problem. Re-
enabling stolen phones is a key driver
for hacking phones

Theft of Service stealing someone else’s minutes or


data or getting free service from the
network
Denial of Service preventing normal operating of a
phone or preventing the access to or
operation of a network
Disruptive / Anarchistic Attacks attacks in which the intention is to
cause upset, distress and disturbance
to the user, network or corporation
such as a virus (could include Denial of
Service).

Interception listening into someone’s calls or


getting access to messages / data
during transit
Facilitators some attacks are deliberately
designed to create a staging post for
other forms of attack.
Fraud Getting financial gain by deceptive
means
Method of Propagation Resolution
WWW

MMS, SMS, Email, Bluetooth, WiFi,


User Installation, Self Installation,
Memory Card, USB
A distrusting partner or spouse can
secretly download the free application,
called PhoneSnoop, onto your
BlackBerry, remotely turn on the
microphone, and listen to
conversations held in proximity to the
device.
Major Players