1 / 17

Software Security & Privacy Risks in Mobile E-Commerce

Software Security & Privacy Risks in Mobile E-Commerce. Kartikeya Kakarala CSCI 5939-Independent Study Wireless Application Protocols. Contents. Introduction New Security & Privacy Risks Addressing the Software Risks Platform Risks Software Application Risks WML Script

noelani-mcconnell
Download Presentation

Software Security & Privacy Risks in Mobile E-Commerce

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Software Security & Privacy Risks in Mobile E-Commerce Kartikeya Kakarala CSCI 5939-Independent Study Wireless Application Protocols

  2. Contents • Introduction • New Security & Privacy Risks • Addressing the Software Risks • Platform Risks • Software Application Risks • WML Script • Security Risks of WML Script • Conclusion

  3. Introduction • M-Commerce : E-Commerce obtained by Accessing the internet through the wireless devices. • Major Applications of M-Commerce : • Weather Reports,Sport Scores,Flight Info., Navigational Maps,Stock Quotes,email etc. • According to Strategy Analytics by 2004, over 1 billion wireless device users, 600 million wireless internet subscribers and a $200 billion mobile e-commerce market is expected.

  4. Introduction(Cont..) • Because of such anticipated growth, new security and privacy risks abound in M-Commerce . • Integrating Security and privacy into the M-Commerce applications would give a projected $25 billion market . • On the other hand if Security is not properly met than it would cause to significantly dampen the consumer adoption rates.

  5. New Security & Privacy Risks • New hazards • In wireless devices due to their mobility & communication medium. • A single malicious domain could potentially compromise wireless devices through malicious downloads or simple denial of service. • Rather than an attacker needing to pursue a target, targets can come to attackers in wireless networks by simply roaming through the attacker’s zone.

  6. New Security & Privacy Risks(Cont..) • Most Vendors implementations of the SSL or WTLS do not reauthenticate or recheck certificates once a connection is established. • Simply “Refreshing” a browser to re-establish a connection may inadvertently introduce risks by redirection of the URL. • Example a hacker can compromise the closest DNS server that route’s a client’s web request from a site ‘X’ and redirect it to the hacker’s site.

  7. New Security & Privacy Risks(Cont..) • Attacks from the wireless devices would become easy. • Another risk unique to mobile devices is the risk of loss or theft. • Tracking of users by on-line web usage via Cookies,could lead to loss of privacy. • Size &Time limitations make it more unlikely that a user would go through the privacy policies of a web site.

  8. Addressing the Software Risks • Security risks of wireless devices must be carefully analyzed and addressed. • “WAP gap” • wireless requests to web pages are translated at the WAP gateway from the WTLS protocol to SSL protocol, widely used in HTTP requests. • If an attacker compromises the WAP gateway, could capture data when decryption is done. • WAP gap problem • Solved by simple modifications to existing protocols.

  9. Platform Risks • Platform or the Operating system • The basic infrastructure for running M-Commerce application. • Without a secure infrastructure on the device, it is not possible to attain secure M-Commerce. • Present Scenario • Many manufacturer’s do not provide with all the necessary requirements.

  10. Platform Risks(Cont..) • Many Manufacturer’s have failed to provide: • Memory protection for processes • Protected Kernel Rings • File Access Control • Authentication of principals to resources • Differentiated User & process privileges • Sandboxes for untrusted code etc. • Due to lack of these features the platform becomes vulnerable to attacks.

  11. Platform Risks(Cont..) • To address these platform risks,the wireless device platforms need to : • Enforce memory protection b/w applications. • Strong Authentication mechanisms such as fingerprints recognition systems should be built into the devices. • Software certificates should be used to authenticate software to the user before installing on the device.

  12. Software Application Risks • Low level languages • In handheld devices cause the continuation of basic flaws like Buffer overflow etc. • Application developers may forgo security features like encryption etc • Due to Limited power, lack of Processing cycles, memory and bandwidth of the devices • To increase online performance. • Interesting software development • The ability to send & execute mobile code. • WML script is used to overcome software application risks.

  13. WML Script • WML Script • The WAP equivalent of Java Script. • It is used basically to provide a uniform interface to wireless applications. • It is used to provide functions independent of the device brand. • Achieving Interface functionality & Compatibility uniform for different phones regardless of the brand can be done by the development of WML Script Interpreter.

  14. Security Risks of WML Script • The security risks associated with WML Script are based on a fundamental lack of a model for secure computation. • WML Script • not a type-safe language. • Without owner’s knowledge it can be pushed to a device by scheduled pulls from web pages or other WML Scripts. • To achieve efficiency,it is compiled into a WML script bytecode downloaded by the client and run on a WML script virtual machine.

  15. Security Risks of WML Script(Cont..) • WML Script provides access to telephony functions through the WTAI. • Access to a phone’s telephony facilities allows online service providers to : • Accept/Initiate calls • Send/Receive text messages • Add/Search/Remove phonebook entries. • Examine call logs • Send tones during calls etc. • To prevent this Permission functions through WTAI should be created.

  16. Conclusion • The Goal here was to highlight Key Security & Privacy Risks already apparent in these devices. • The Platforms & Languages being developed for wireless devices have failed to adopt fundamental security concepts on Desktop machines. • Encrypted Communication protocols are necessary to provide Confidentiality,Integrity and Authentication services for M-Commerce Applications. • The best strategy for addressing security would be to implement it on Platform & Applications themselves , rather than to introduce security patches afterwards.

  17. References • Technical Paper on “Software security & privacy risks in mobile E-Commerce” • By Anup K.Ghosh • Tara M.Swaminatha • www.wapforum.org

More Related