Användarnas förtroende för mobila tjänsters säkerhet : Vilka säkerhetskrav uppfyller mobila betalningstjänster och vilket förtroende finns för sådana tjänster? / User trust in the security surrounding mobile services : Trust and performance regarding mobile security?

Johansson, Mattias, Andersson, Linus

January 2006

<p>Tekniken kring mobiltelefoni är under ständig utveckling och mobiltelefonen har idag fått nya funktioner utöver dess grundfunktion röstsamtal. Efterfrågan efter nya mobila tjänster drivs hela tiden framåt då mobilen får allt större kapacitet och prestanda. Bland de tjänster som växts fram märks möjligheten att utföra monetära transaktioner. Detta innebär helt enkelt att använda sin mobiltelefon för att betala och utföra allehanda tjänster kopplade till användarens monetära tillgångar. Överföringen av pengar kräver dock hög säkerhet. Vad vet egentligen konsumenterna om säkerheten kring dessa tjänster? Många betalningar och transaktioner sker idag över Internet och bankerna förmedlar budskapet om att säkerheten runt deras Internettjänster är mycket hög, men vad säger de om säkerheten för deras mobila alternativ? Finns den höga säkerheten även för de mobila tjänsterna och har användarna förtroende fullt ut för dessa? Finns inte användarnas förtroende för säkerheten hos de nya mobila tjänsterna kommer de troligtvis inte heller användas. Vi ämnar därför i denna uppsats utreda om säkerheten i en mobil betalningstjänst motsvarar den som finns när den utförs på en dator i hemmet och har detta i slutändan användarnas förtroende? </p><p>Syftet med detta arbete är att undersöka vilket förtroende användarna har för säkerheten hos mobila betalningstjänster samt om dessa tjänster uppfyller samma säkerhetskrav som när de används via normal datoranvändning. Studien påbörjades med en genomgång av befintlig litteratur inom säkerheten för mobilt Internet samt Internetanvändande vid hemdatorn. Sedan genomfördes intervjuer av personer med stor kunskap kring säkerheten hos mobilt Internet. För att få reda på användarnas förtroende kring mobila betaltjänster genomförde vi sedan en webbaserad surveyundersökning varvid en fokusgrupps-undersökning användes till hjälp gällande framtagningen av frågorna. Utfallen från intervjuerna samt surveyundersökningen analyserades sedan tillsammans med utvald teori.</p><p>Våra resultat visar att majoriteten av respondenterna inte känner förtroende för säkerheten hos mobila betalningstjänster. De flesta anser att det inte är lika säkert att surfa via mobilen som via datorn i hemmet. Däremot kan hälften av individerna i populationen tänka sig att betala över Internet med mobiltelefonen och en betydande del kan även tänka sig att utföra finansiella affärer med hjälp av mobiltelefonen. Vi anser också att en mobiltelefon inte når upp till samma säkerhetsnivå som hos en stationär dator med fast Internet.</p> / <p>The mobile technology is under constant development and the mobile phone today has many other functions besides just talking. The demand for new mobile services is constantly getting stronger since the mobile phone becomes more and more powerful. Among these services is the possibility to perform transactions of money. With this we mean using the mobile phone to pay bills and other services that is connected to a user’s assets. The transaction of money of course requires high security. What do the consumers know about the security surrounding these kinds of services? Today many payments and transactions that involve money takes place over the Internet from the home computer and the banks that offers these services claims that this is safe. But what do they say about the security surrounding their mobile alternatives? Does the necessary security exist for these mobile services and does it have the consumers trust? If the users do not trust the security surrounding the mobile service, they will probably not use them. We will therefore with this thesis try to investigate if the security that surrounds the mobile payment services is equivalent to when the services is used on a home computer and if the services has the users trust?</p><p>The purpose with this thesis is to investigate the users trust regarding mobile payment services and if these services fulfil the same security demands as when they are used normally at the home computer. The study began with a review of existing theories regarding the security for mobile Internet and Internet usage on the home computer. Thereafter interviews took place with experts having great knowledge regarding mobile Internet security. We then performed a web-based survey to get information about the users trust for the security surrounding mobile payment services. We used a focus group with the aim of helping us selecting relevant questions for the survey. The results from the interviews and the survey study were then analyzed with the chosen theory.</p><p>On the basis of our survey we can draw the conclusion that the majority of respondents do not trust the security that surrounds mobile payment services. The majority is of the opinion that it is not as safe to use mobile Internet services as to use the corresponding service from the computer at home. However half of the population could very well consider paying bills with the mobile phone and a large part of the respondents would also like to use financial transactions with this kind of media. We also conclude that a mobile phone does not reach the security standard of a home computer.</p>

Mobile security

mobile transactions

user trust for mobile security

Internet security

Mobil säkerhet

mobila transaktioner

Internetsäkerhet

Informatics

Informatik

Användarnas förtroende för mobila tjänsters säkerhet : Vilka säkerhetskrav uppfyller mobila betalningstjänster och vilket förtroende finns för sådana tjänster? / User trust in the security surrounding mobile services : Trust and performance regarding mobile security?

Johansson, Mattias, Andersson, Linus

January 2006

Tekniken kring mobiltelefoni är under ständig utveckling och mobiltelefonen har idag fått nya funktioner utöver dess grundfunktion röstsamtal. Efterfrågan efter nya mobila tjänster drivs hela tiden framåt då mobilen får allt större kapacitet och prestanda. Bland de tjänster som växts fram märks möjligheten att utföra monetära transaktioner. Detta innebär helt enkelt att använda sin mobiltelefon för att betala och utföra allehanda tjänster kopplade till användarens monetära tillgångar. Överföringen av pengar kräver dock hög säkerhet. Vad vet egentligen konsumenterna om säkerheten kring dessa tjänster? Många betalningar och transaktioner sker idag över Internet och bankerna förmedlar budskapet om att säkerheten runt deras Internettjänster är mycket hög, men vad säger de om säkerheten för deras mobila alternativ? Finns den höga säkerheten även för de mobila tjänsterna och har användarna förtroende fullt ut för dessa? Finns inte användarnas förtroende för säkerheten hos de nya mobila tjänsterna kommer de troligtvis inte heller användas. Vi ämnar därför i denna uppsats utreda om säkerheten i en mobil betalningstjänst motsvarar den som finns när den utförs på en dator i hemmet och har detta i slutändan användarnas förtroende? Syftet med detta arbete är att undersöka vilket förtroende användarna har för säkerheten hos mobila betalningstjänster samt om dessa tjänster uppfyller samma säkerhetskrav som när de används via normal datoranvändning. Studien påbörjades med en genomgång av befintlig litteratur inom säkerheten för mobilt Internet samt Internetanvändande vid hemdatorn. Sedan genomfördes intervjuer av personer med stor kunskap kring säkerheten hos mobilt Internet. För att få reda på användarnas förtroende kring mobila betaltjänster genomförde vi sedan en webbaserad surveyundersökning varvid en fokusgrupps-undersökning användes till hjälp gällande framtagningen av frågorna. Utfallen från intervjuerna samt surveyundersökningen analyserades sedan tillsammans med utvald teori. Våra resultat visar att majoriteten av respondenterna inte känner förtroende för säkerheten hos mobila betalningstjänster. De flesta anser att det inte är lika säkert att surfa via mobilen som via datorn i hemmet. Däremot kan hälften av individerna i populationen tänka sig att betala över Internet med mobiltelefonen och en betydande del kan även tänka sig att utföra finansiella affärer med hjälp av mobiltelefonen. Vi anser också att en mobiltelefon inte når upp till samma säkerhetsnivå som hos en stationär dator med fast Internet. / The mobile technology is under constant development and the mobile phone today has many other functions besides just talking. The demand for new mobile services is constantly getting stronger since the mobile phone becomes more and more powerful. Among these services is the possibility to perform transactions of money. With this we mean using the mobile phone to pay bills and other services that is connected to a user’s assets. The transaction of money of course requires high security. What do the consumers know about the security surrounding these kinds of services? Today many payments and transactions that involve money takes place over the Internet from the home computer and the banks that offers these services claims that this is safe. But what do they say about the security surrounding their mobile alternatives? Does the necessary security exist for these mobile services and does it have the consumers trust? If the users do not trust the security surrounding the mobile service, they will probably not use them. We will therefore with this thesis try to investigate if the security that surrounds the mobile payment services is equivalent to when the services is used on a home computer and if the services has the users trust? The purpose with this thesis is to investigate the users trust regarding mobile payment services and if these services fulfil the same security demands as when they are used normally at the home computer. The study began with a review of existing theories regarding the security for mobile Internet and Internet usage on the home computer. Thereafter interviews took place with experts having great knowledge regarding mobile Internet security. We then performed a web-based survey to get information about the users trust for the security surrounding mobile payment services. We used a focus group with the aim of helping us selecting relevant questions for the survey. The results from the interviews and the survey study were then analyzed with the chosen theory. On the basis of our survey we can draw the conclusion that the majority of respondents do not trust the security that surrounds mobile payment services. The majority is of the opinion that it is not as safe to use mobile Internet services as to use the corresponding service from the computer at home. However half of the population could very well consider paying bills with the mobile phone and a large part of the respondents would also like to use financial transactions with this kind of media. We also conclude that a mobile phone does not reach the security standard of a home computer.

Mobile security

mobile transactions

user trust for mobile security

Internet security

Mobil säkerhet

mobila transaktioner

Internetsäkerhet

Information Systems

Micro-architectural Threats to Modern Computing Systems

Inci, Mehmet Sinan

17 April 2019

With the abundance of cheap computing power and high-speed internet, cloud and mobile computing replaced traditional computers. As computing models evolved, newer CPUs were fitted with additional cores and larger caches to accommodate run multiple processes concurrently. In direct relation to these changes, shared hardware resources emerged and became a source of side-channel leakage. Although side-channel attacks have been known for a long time, these changes made them practical on shared hardware systems. In addition to side-channels, concurrent execution also opened the door to practical quality of service attacks (QoS). The goal of this dissertation is to identify side-channel leakages and architectural bottlenecks on modern computing systems and introduce exploits. To that end, we introduce side-channel attacks on cloud systems to recover sensitive information such as code execution, software identity as well as cryptographic secrets. Moreover, we introduce a hard to detect QoS attack that can cause over 90+\% slowdown. We demonstrate our attack by designing an Android app that causes degradation via memory bus locking. While practical and quite powerful, mounting side-channel attacks is akin to listening on a private conversation in a crowded train station. Significant manual labor is required to de-noise and synchronizes the leakage trace and extract features. With this motivation, we apply machine learning (ML) to automate and scale the data analysis. We show that classical machine learning methods, as well as more complicated convolutional neural networks (CNN), can be trained to extract useful information from side-channel leakage trace. Finally, we propose the DeepCloak framework as a countermeasure against side-channel attacks. We argue that by exploiting adversarial learning (AL), an inherent weakness of ML, as a defensive tool against side-channel attacks, we can cloak side-channel trace of a process. With DeepCloak, we show that it is possible to trick highly accurate (99+\% accuracy) CNN classifiers. Moreover, we investigate defenses against AL to determine if an attacker can protect itself from DeepCloak by applying adversarial re-training and defensive distillation. We show that even in the presence of an intelligent adversary that employs such techniques, DeepCloak still succeeds.

cloud security

DoS attacks

machine learning

mobile security

side-channel attacks

Provably Secure Nested One-Time Secret Mechanisms for Fast Mutual Authentication and Key Exchange in Mobile Communications

Ho, Pei-hsiu

10 February 2011

Wireless communication has played a very important role in people communication activities due to the properties of fast mobility and high portability. Many security mechanisms for mobile communications have been introduced in the literature. Among these mechanisms, authentication is a quite important task in the entire mobile network system and acts as the first defense against attackers since it ensures the correctness of the identities of distributed communication entities before they engage in any other communication activity. Some schemes have similar drawbacks, such as high bandwidth consumption between VLR and HLR, storage overhead in VLR, and lack of VLR authentication. On the other hand, some protocols are efficient, but they are not based on rational assumptions. Ideally, a mobile authentication scheme should achieve mutual entity authentication, low storage cost in VLR, and light-weight computation and communication for each entity, to provide secure and fast communication services. Therefore, in order to guarantee the quality of this advanced technology, an efficient (especially, user efficient) and secure authentication scheme is urgently desired, and moreover, it should be under reasonable assumptions. In this dissertation, we come up with a novel authentication mechanism, called the nested one-time secret mechanism, tailored for mobile communication environments. Through maintaining inner and outer synchronously changeable common secrets, respectively, every mobile user can be rapidly authenticated by VLR and HLR, respectively, in the proposed scheme based on rational assumptions. Not only does the proposed solution achieve mutual authentication, but also it greatly reduces the computation and communication cost of the mobile users as compared with the existing authentication schemes. Finally, we formally prove that the proposed scheme is a secure mutual authentication and key exchange scheme under the assumptions of semantic security of encryption, indistinguishability of a pseudorandom function and a random function, and indistinguishability of a pseudorandom permutation and a random permutation.

one-time secrets

mobile security

mutual authentication

key exchange

information security

Analýza útoků s využitím mobilního zařízení Pwn Phone / Analysis of Attacks with Mobile Device Pwn Phone

Holubec, Petr

January 2016

This thesis deals with the safety of wireless networks and used protocols. The aim is to describe chosen network attacks and demonstrate the feasibility of using the device Pwn Phone. It will also be implemented a system consisting of a mobile application and a server component allowing execution of NFC relay attack on contactless credit cards. System will be tested in real world and evaluation of the success in different conditions will also be part of the thesis.

Security for Mobile Payment Transaction

Desta, Girmay

January 2012

The advancement of ICT in a variety of sectors helped in improving the time consuming and rigid service into fast and flexible service that is closer to the reach of individuals. For instance, mobile applications have evolved in different sectors such as healthcare patient support, geographic mapping and positioning, banking, e-commerce payment services and others. This study focuses on one of the most sensitive applications, which is mobile payment. Mobile payment system being one of the widely expanding mobile services, it has security concerns that prevented its wide acceptance. Some of the main security services given prior attention in mobile payment are issues of privacy, authentication and confidentiality. The research concentrates on the strong authentication of a mobile client to its server, securing the credit card* information and use of mobile card reader while making payments that enable customers to protect privacy of financial credentials. The strong authentication mechanism mainly follows the NIST standard publications namely, FIPS PUB 201 and FIPS 196; which are standards on Entity Authentication using public key cryptography and PKI credential storage Personal Identity Verification (PIV) card respectively. The proposed secure Credit Card Information (CCI) storage is in a secure element in order to prevent tampering of stored data. The secure element options are microSD, UICC, Smartcard (together with digital certificate and service ticket). During making payments, the payment information encrypted using a shared key is securely sent to payment server. A demo mobile application as proof of concept was implemented in a simulated lab (KTH SecLab), which has all the necessary infrastructure setup (servers, card reader) for testing the proposed solution. The paper was able to proof the concept of secure payment by enhancing the authentication, confidentiality and privacy of payment information. However, the demo for Strong Authentication did not completely succeed as expected due to unexpected bugs in the early version of card reader SDK.

Strong Authentication

mobile security

PIV

mobile PKI

payment privacy

EMV security

Engineering and Technology

Teknik och teknologier

LEVERAGING MULTIMODAL SENSING FOR ENHANCING THE SECURITY AND PRIVACY OF MOBILE SYSTEMS

Habiba Farrukh (13969653)

26 July 2023

<p>Mobile systems, such as smartphones, wearables (e.g., smartwatches, AR/VR headsets),<br> and IoT devices, have come a long way from being just a method of communication to<br> sophisticated sensing devices that monitor and control several aspects of our lives. These<br> devices have enabled several useful applications in a wide range of domains ranging from<br> healthcare and finance to energy and agriculture industries. While such advancement has<br> enabled applications in several aspects of human life, it has also made these devices an<br> interesting target for adversaries.<br> In this dissertation, I specifically focus on how the various sensors on mobile devices can<br> be exploited by adversaries to violate users’ privacy and present methods to use sensors<br> to improve the security of these devices. My thesis posits that multi-modal sensing can be<br> leveraged to enhance the security and privacy of mobile systems.<br> In this, first, I describe my work that demonstrates that human interaction with mobile de-<br> vices and their accessories (e.g., stylus pencils) generates identifiable patterns in permissionless<br> mobile sensors’ data, which reveal sensitive information about users. Specifically, I developed<br> S3 to show how embedded magnets in stylus pencils impact the mobile magnetometer sensor<br> and can be exploited to infer a users incredibly private handwriting. Then, I designed LocIn<br> to infer a users indoor semantic location from 3D spatial data collected by mixed reality<br> devices through LiDAR and depth sensors. These works highlight new privacy issues due to<br> advanced sensors on emerging commodity devices.<br> Second, I present my work that characterizes the threats against smartphone authentication<br> and IoT device pairing and proposes usable and secure methods to protect against these threats.<br> I developed two systems, FaceRevelio and IoTCupid, to enable reliable and secure user and<br> device authentication, respectively, to protect users’ private information (e.g., contacts,<br> messages, credit card details) on commodity mobile and allow secure communication between<br> IoT devices. These works enable usable authentication on diverse mobile and IoT devices<br> and eliminate the dependency on sophisticated hardware for user-friendly authentication.</p>

Data and information privacy

System and network security

Mobile computing

Multimodal sensing

Mobile Security & Privacy

User-Intention Based Program Analysis for Android Security

Elish, Karim Omar Mahmoud

29 July 2015

The number of mobile applications (i.e., apps) is rapidly growing, as the mobile computing becomes an integral part of the modern user experience. Malicious apps have infiltrated open marketplaces for mobile platforms. These malicious apps can exfiltrate user's private data, abuse of system resources, or disrupting regular services. Despite the recent advances on mobile security, the problem of detecting vulnerable and malicious mobile apps with high detection accuracy remains an open problem. In this thesis, we address the problem of Android security by presenting a new quantitative program analysis framework for security vetting of Android apps. We first introduce a highly accurate proactive detection solution for detecting individual malicious apps. Our approach enforces benign property as opposed of chasing malware signatures, and uses one complex feature rather than multi-feature as in the existing malware detection methods. In particular, we statically extract a data-flow feature on how user inputs trigger sensitive critical operations, a property referred to as the user-trigger dependence. This feature is extracted through nontrivial Android-specific static program analysis, which can be used in various quantitative analytical methods. Our evaluation on thousands of malicious apps and free popular apps gives a detection accuracy (2% false negative rate and false positive rate) that is better than, or at least competitive against, the state-of-the-art. Furthermore, our method discovers new malicious apps available in the Google Play store that have not been previously detected by anti-virus scanning tools. Second, we present a new app collusion detection approach and algorithms to analyze pairs or groups of communicating apps. App collusion is a new technique utilized by the attackers to evade standard detection. It is a new threat where two or more apps, appearing benign, communicate to perform malicious task. Most of the existing solutions assume the attack model of a stand-alone malicious app, and hence cannot detect app collusion. We first demonstrate experimental evidence on the technical challenges associated with detecting app collusion. Then, we address these challenges by introducing a scalable and an in-depth cross-app static flow analysis approach to identify the risk level associated with communicating apps. Our approach statically analyzes the sensitivity and the context of each inter-app communication with low analysis complexity, and defines fine-grained security policies for the inter-app communication risk detection. Our evaluation results on thousands of free popular apps indicate that our technique is effective. It generates four times fewer false positives compared to the state-of-the-art collusion-detection solution, enhancing the detection capability. The advantages of our inter-app communication analysis approach are the analysis scalability with low complexity, and the substantially improved detection accuracy compared to the state-of-the-art solution. These types of proactive defenses solutions allow defenders to stay proactive when defending against constantly evolving malware threats. / Ph. D.

Android Malware

Application Collusion

User-Intention

Program Analysis

Inter-Component Communication (ICC)

Mobile Security

Modeling and Analysis of Intentional And Unintentional Security Vulnerabilities in a Mobile Platform

Fazeen, Mohamed, Issadeen, Mohamed

12 1900

Mobile phones are one of the essential parts of modern life. Making a phone call is not the main purpose of a smart phone anymore, but merely one of many other features. Online social networking, chatting, short messaging, web browsing, navigating, and photography are some of the other features users enjoy in modern smartphones, most of which are provided by mobile apps. However, with this advancement, many security vulnerabilities have opened up in these devices. Malicious apps are a major threat for modern smartphones. According to Symantec Corp., by the middle of 2013, about 273,000 Android malware apps were identified. It is a complex issue to protect everyday users of mobile devices from the attacks of technologically competent hackers, illegitimate users, trolls, and eavesdroppers. This dissertation emphasizes the concept of intention identification. Then it looks into ways to utilize this intention identification concept to enforce security in a mobile phone platform. For instance, a battery monitoring app requiring SMS permissions indicates suspicious intention as battery monitoring usually does not need SMS permissions. Intention could be either the user's intention or the intention of an app. These intentions can be identified using their behavior or by using their source code. Regardless of the intention type, identifying it, evaluating it, and taking actions by using it to prevent any malicious intentions are the main goals of this research. The following four different security vulnerabilities are identified in this research: Malicious apps, spammers and lurkers in social networks, eavesdroppers in phone conversations, and compromised authentication. These four vulnerabilities are solved by detecting malware applications, identifying malicious users in a social network, enhancing the encryption system of a phone communication, and identifying user activities using electroencephalogram (EEG) for authentication. Each of these solutions are constructed using the idea of intention identification. Furthermore, many of these approaches have utilized different machine learning models. The malware detection approach performed with an 89% accuracy in detecting the given malware dataset. In addition, the social network user identification model's accuracy was above 90%. The encryption enhancement reduced the mobile CPU usage time by 40%. Finally, the EEG based user activities were identified with an 85% accuracy. Identifying intention and using it to improve mobile phone security are the main contributions of this dissertation.

Intention

mobile security

malware

spammers

encryption

electroencephalogram

Att våga vara mobil : En studie i hur företag kan påverka konsumentens köpvanor genom införandet av mobil handel

Fagerman, Hannes, Nilsson, Martin

January 2012

We chose to write this essay about mobile commerce and what influences a consumer's buying habits within mobile commerce. We also look at how a company can implement mobile commerce. We could not find any studies that directly addressed factors that affected consumers of mobile commerce prior to this essay. This was one of the reasons that we chose to write about it. In the introductory chapter, we will discuss important issues relating to ecommerce and the use of smartphones as a tool for marketing and trade. In the methodology chapter, we explain our choice of methods for this essay. We reported on the techniques and methods to collect data that were relevant to this work and then we had a discussion about the methodological choices made. The methodology chapter ended with a presentation of our criticism about the choice of methods. In the theory chapter we describe the relevant theories on our subject. We describe some factors that could influence a consumer's purchasing behaviour, and other theories about how companies can implement mobile commerce. We then describe the material collected through surveys and interviews we conducted. This data formed the basis for the synthesis, analysis and conclusions, which we reported in the essay. In the analysis we combine theory and empirical data and then interpret the data we have collected. In the conclusion we responded to the questions we asked and gave advice to companies that are interested in introducing mobile commerce.

Mobile commerce

Mobile security

Consumer behaviour

Mobile commerce platform

M-handel

mobil handel

Mobil säkerhet

Konsumentbeteende

M-handelsplattform