SlideShare a Scribd company logo

Smartphone Platform Security - What can we learn from Symbian?

C
Craig Heath

Presented at Cambridge Wireless, 15th January 2015.

Technology
1 of 12
Download to read offline
Franklin Heath Ltd Smartphone Platform Security What can we learn from Symbian? Craig Heath Independent Security Consultant 15 Jan 2015
© Franklin Heath Ltd c b CC BY 3.0 Discussion Points  Was Symbian OS platform security a success?  Did developer difficulties with platform security contribute to Symbian’s downfall?  Could those difficulties have been prevented?  Did Symbian’s platform security have anything better than today’s successful platforms? 15 Jan 2015 2
© Franklin Heath Ltd c b CC BY 3.0 Symbian OS Versions 15 Jan 2015 3 Without Platform Security Year Ver. UI Layer Typical Phone 2001 6.0 Series 80 Nokia 9210 2002 6.1 S60 1st Edition+FP1 Nokia 7650 MOAP(S) Fujitsu F2051 7.0 UIQ 2.0 (& 2.1) Sony Ericsson P800 2003 7.0S S60 2nd Edition+FP1 Nokia 6600 2004 8.0a S60 2nd Edition FP2 Nokia 6630 2005 8.1a S60 2nd Edition FP3 Nokia N90 2007 8.1b MOAP(S) Fujitsu F905i With Platform Security Year Ver. UI Layer Typical Phone 2006 9.1 S60 3rd Edition Nokia 3250 UIQ 3.0 Sony Ericsson P990 2007 9.2 S60 3rd Edition FP1 Nokia N95 UIQ 3.1 & 3.2 Motorola Z8 2008 9.3 S60 3rd Edition FP2 Samsung i8510 9.4 S60 5th Edition Nokia 5800 2009 Nokia N97 2010 ^2 MOAP(S) Fujitsu F-07B ^3 S60 Nokia N8 2011 Anna S60 Nokia E6
© Franklin Heath Ltd c b CC BY 3.0 Symbian Platform Security Architecture 15 Jan 2015 4  Run-time controls on system and applications  Based on long-established security principles  e.g. “Trusted Computing Base”, “Least Privilege”  Designed for mobile device use cases  low-level, highly efficient implementation  “Capabilities” determine process privileges  checked by APIs which offer security-relevant services  “Data Caging” protects stored data  protected directories for system and for applications  Secure identifiers (“SIDs”) for applications  verified at install-time
© Franklin Heath Ltd c b CC BY 3.0 Symbian OS New Malware Strains and Variants Per Month 15 Jan 2015 5 0 2 4 6 8 10 12 14 16 18 New Variant First phones introduced with platform security
© Franklin Heath Ltd c b CC BY 3.0 Developer Difficulties 15 Jan 2015 6  Compatibility break  Used as an excuse for fixing accumulated technical debt  Additional complexity  SIDs, data caging, etc.  “How do I know what capabilities I need?”  Difficulty of debugging  “Why can’t you just turn the security off?”  Cost of approval and signing  ...even though it was steadily reduced over time  Delays caused by approval and signing process  Rejections were common
© Franklin Heath Ltd c b CC BY 3.0 Aside: Symbian OS C++  Same language and environment for apps as the OS (and/or UI)  In principle allows third party developers to produce powerful apps  ... but harder to work with in-progress documentation and finicky tools  Non-standard C++ “idioms”  Descriptors, active objects, cleanup stack  ANSI exception handling came too late  Technically good (vastly more power efficient)  ... but steep learning curve  Alternatives were either too little (CDC Java, MIDP Java)  ... or too late (PIPS, Qt) 15 Jan 2015 7
© Franklin Heath Ltd c b CC BY 3.0 Symbian Signed Capability Groups 15 Jan 2015 8 User Extended (System) Extended (Restricted) Manufacturer LocalServices Location NetworkServices ReadUserData UserEnvironment WriteUserData PowerMgmt ProtServ ReadDeviceData SurroundingsDD SwEvent TrustedUI WriteDeviceData CommDD DiskAdmin NetworkControl MultimediaDD AllFiles DRM TCB
© Franklin Heath Ltd c b CC BY 3.0 Symbian Signed Capability Groups 15 Jan 2015 9 Group Additional Capabilities Permitted Unverified Verified with Publisher ID Unsigned or Self-signed Developer Certificate per IMEI(s) Developer Certificate per IMEI(s) Express Signed Certified Signed User 6 install-time user prompt Yes Yes Yes Yes Extended (System) 7 Extended (Restricted) 4 Manufacturer 3 OEM approval OEM approval
© Franklin Heath Ltd c b CC BY 3.0 Symbian Signed Costs 15 Jan 2015 10  2004, initially a branding / co-marketing programme  All outsourced costs passed to publisher (could be over $1000 per app)  Most developers were their own publisher  2006, required for “non-user-grantable” platform security capabilities  Standardised testing, lowest price €195  Still required $395 publisher ID annually  2007, reduced costs but increased complexity  Publisher IDs reduced to $200  “Express Signed” $20  subset of “extended” capabilities, self-testing with random auditing afterwards  2010, streamlined test criteria  Express Signed €10, Certified Signed €150  2010, Nokia pays for and performs signing for Ovi Store submissions
© Franklin Heath Ltd c b CC BY 3.0 What Could We Have Done Differently?  Needed more clout and/or money  Google were able to ignore operator demands  Apple were able to phase out DRM  Apple were able to subsidise approval process  CA-issued publisher IDs were probably a mistake  Self-signed works for Google Android  Didn’t help us track down malicious actors  Robustness was pretty good  User experience was pretty good 15 Jan 2015 11
© Franklin Heath Ltd c b CC BY 3.0 Discussion Points  Was Symbian OS platform security a success?  Did developer difficulties with platform security contribute to Symbian’s downfall?  Could those difficulties have been prevented?  Did Symbian’s platform security have anything better than today’s successful platforms? 15 Jan 2015 12

Recommended

Symbian os
Symbian osSymbian os
Symbian osProf.Dr.Hanumanthappa J
 
Symbian
SymbianSymbian
SymbianEzhilarasi Mathivanan
 
Symbian Daniel Rocha Mobile Expert
Symbian Daniel Rocha Mobile ExpertSymbian Daniel Rocha Mobile Expert
Symbian Daniel Rocha Mobile ExpertMobile Expert
 
FIDOAlliance
FIDOAllianceFIDOAlliance
FIDOAllianceSanjeev Verma, PhD
 
Hypori Performance Webinar
Hypori Performance WebinarHypori Performance Webinar
Hypori Performance WebinarGrafic.guru
 
Wellesley High School Career Seminars - The Entrepreneur's Perspective 2015
Wellesley High School Career Seminars - The Entrepreneur's Perspective 2015Wellesley High School Career Seminars - The Entrepreneur's Perspective 2015
Wellesley High School Career Seminars - The Entrepreneur's Perspective 2015Stephen Randall
 
Isn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android MalwareIsn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android MalwareJimmy Shah
 
Psion vs win ce
Psion vs win ce Psion vs win ce
Psion vs win ce Surapol Imi
 

Recommended

Symbian os
Symbian osSymbian os
Symbian osProf.Dr.Hanumanthappa J
 
Symbian
SymbianSymbian
SymbianEzhilarasi Mathivanan
 
Symbian Daniel Rocha Mobile Expert
Symbian Daniel Rocha Mobile ExpertSymbian Daniel Rocha Mobile Expert
Symbian Daniel Rocha Mobile ExpertMobile Expert
 
FIDOAlliance
FIDOAllianceFIDOAlliance
FIDOAllianceSanjeev Verma, PhD
 
Hypori Performance Webinar
Hypori Performance WebinarHypori Performance Webinar
Hypori Performance WebinarGrafic.guru
 
Wellesley High School Career Seminars - The Entrepreneur's Perspective 2015
Wellesley High School Career Seminars - The Entrepreneur's Perspective 2015Wellesley High School Career Seminars - The Entrepreneur's Perspective 2015
Wellesley High School Career Seminars - The Entrepreneur's Perspective 2015Stephen Randall
 
Isn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android MalwareIsn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android MalwareJimmy Shah
 
Psion vs win ce
Psion vs win ce Psion vs win ce
Psion vs win ce Surapol Imi
 
Symbian
SymbianSymbian
SymbianEzhilarasi Mathivanan
 
Symbian os
Symbian osSymbian os
Symbian osParimal Patel
 
Multi channel advantage
Multi channel advantageMulti channel advantage
Multi channel advantageDipesh Mukerji
 
Overview of Mobile Dev Platforms
Overview of Mobile Dev PlatformsOverview of Mobile Dev Platforms
Overview of Mobile Dev PlatformsMike Wolfson
 
Designing and developing a Windows Phone 7 Silverlight Application End-to-End...
Designing and developing a Windows Phone 7 Silverlight Application End-to-End...Designing and developing a Windows Phone 7 Silverlight Application End-to-End...
Designing and developing a Windows Phone 7 Silverlight Application End-to-End...Katrien De Graeve
 
Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...
Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...
Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...Manoj Awasthi
 
Seminar report on Symbian OS
Seminar report on Symbian OSSeminar report on Symbian OS
Seminar report on Symbian OSDarsh Kotecha
 
iOS CI/CD: Continuous Integration and Continuous Delivery Explained
iOS CI/CD: Continuous Integration and Continuous Delivery ExplainediOS CI/CD: Continuous Integration and Continuous Delivery Explained
iOS CI/CD: Continuous Integration and Continuous Delivery ExplainedSemaphore
 
Patch Tuesday for January 2020
Patch Tuesday for January 2020Patch Tuesday for January 2020
Patch Tuesday for January 2020Ivanti
 
Ivanti Patch Tuesday for October 2019
Ivanti Patch Tuesday for October 2019Ivanti Patch Tuesday for October 2019
Ivanti Patch Tuesday for October 2019Ivanti
 
April 2019 Patch Tuesday
April 2019 Patch TuesdayApril 2019 Patch Tuesday
April 2019 Patch TuesdayIvanti
 
Symbian OS
Symbian OSSymbian OS
Symbian OSArun S Kurup
 
Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -Seungjoo Kim
 
Current trends in open source and automotive
Current trends in open source and automotiveCurrent trends in open source and automotive
Current trends in open source and automotiveRyo Jin
 
2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.milNASA Open Government Initiative
 
Android before getting started
Android before getting startedAndroid before getting started
Android before getting startedAhsanul Karim
 
Android App Security Solution
Android App Security SolutionAndroid App Security Solution
Android App Security SolutionJay Li
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com
 
What is ThousandEyes Webinar
What is ThousandEyes WebinarWhat is ThousandEyes Webinar
What is ThousandEyes WebinarThousandEyes
 
WebRTC Market Status & Voice/Video Overview
WebRTC Market Status & Voice/Video OverviewWebRTC Market Status & Voice/Video Overview
WebRTC Market Status & Voice/Video OverviewDean Bubley
 
DC4420 Bluetooth Security
DC4420 Bluetooth SecurityDC4420 Bluetooth Security
DC4420 Bluetooth SecurityCraig Heath
 
What Security Do You Need From Low-Power Wide-Area Networks?
What Security Do You Need From Low-Power Wide-Area Networks?What Security Do You Need From Low-Power Wide-Area Networks?
What Security Do You Need From Low-Power Wide-Area Networks?Craig Heath
 

More Related Content

Similar to Smartphone Platform Security - What can we learn from Symbian?

Multi channel advantage
Multi channel advantageMulti channel advantage
Multi channel advantageDipesh Mukerji
 
Overview of Mobile Dev Platforms
Overview of Mobile Dev PlatformsOverview of Mobile Dev Platforms
Overview of Mobile Dev PlatformsMike Wolfson
 
Designing and developing a Windows Phone 7 Silverlight Application End-to-End...
Designing and developing a Windows Phone 7 Silverlight Application End-to-End...Designing and developing a Windows Phone 7 Silverlight Application End-to-End...
Designing and developing a Windows Phone 7 Silverlight Application End-to-End...Katrien De Graeve
 
Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...
Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...
Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...Manoj Awasthi
 
Seminar report on Symbian OS
Seminar report on Symbian OSSeminar report on Symbian OS
Seminar report on Symbian OSDarsh Kotecha
 
iOS CI/CD: Continuous Integration and Continuous Delivery Explained
iOS CI/CD: Continuous Integration and Continuous Delivery ExplainediOS CI/CD: Continuous Integration and Continuous Delivery Explained
iOS CI/CD: Continuous Integration and Continuous Delivery ExplainedSemaphore
 
Patch Tuesday for January 2020
Patch Tuesday for January 2020Patch Tuesday for January 2020
Patch Tuesday for January 2020Ivanti
 
Ivanti Patch Tuesday for October 2019
Ivanti Patch Tuesday for October 2019Ivanti Patch Tuesday for October 2019
Ivanti Patch Tuesday for October 2019Ivanti
 
April 2019 Patch Tuesday
April 2019 Patch TuesdayApril 2019 Patch Tuesday
April 2019 Patch TuesdayIvanti
 
Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -Seungjoo Kim
 
Current trends in open source and automotive
Current trends in open source and automotiveCurrent trends in open source and automotive
Current trends in open source and automotiveRyo Jin
 
Android before getting started
Android before getting startedAndroid before getting started
Android before getting startedAhsanul Karim
 
Android App Security Solution
Android App Security SolutionAndroid App Security Solution
Android App Security SolutionJay Li
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com
 
What is ThousandEyes Webinar
What is ThousandEyes WebinarWhat is ThousandEyes Webinar
What is ThousandEyes WebinarThousandEyes
 
WebRTC Market Status & Voice/Video Overview
WebRTC Market Status & Voice/Video OverviewWebRTC Market Status & Voice/Video Overview
WebRTC Market Status & Voice/Video OverviewDean Bubley
 

Similar to Smartphone Platform Security - What can we learn from Symbian? (20)

Symbian
SymbianSymbian
Symbian
 
Symbian os
Symbian osSymbian os
Symbian os
 
Multi channel advantage
Multi channel advantageMulti channel advantage
Multi channel advantage
 
Overview of Mobile Dev Platforms
Overview of Mobile Dev PlatformsOverview of Mobile Dev Platforms
Overview of Mobile Dev Platforms
 
Designing and developing a Windows Phone 7 Silverlight Application End-to-End...
Designing and developing a Windows Phone 7 Silverlight Application End-to-End...Designing and developing a Windows Phone 7 Silverlight Application End-to-End...
Designing and developing a Windows Phone 7 Silverlight Application End-to-End...
 
Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...
Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...
Accelerating Time-To-Market with Continuous Delivery at Tech in Asia, PDC 202...
 
Seminar report on Symbian OS
Seminar report on Symbian OSSeminar report on Symbian OS
Seminar report on Symbian OS
 
iOS CI/CD: Continuous Integration and Continuous Delivery Explained
iOS CI/CD: Continuous Integration and Continuous Delivery ExplainediOS CI/CD: Continuous Integration and Continuous Delivery Explained
iOS CI/CD: Continuous Integration and Continuous Delivery Explained
 
Patch Tuesday for January 2020
Patch Tuesday for January 2020Patch Tuesday for January 2020
Patch Tuesday for January 2020
 
Ivanti Patch Tuesday for October 2019
Ivanti Patch Tuesday for October 2019Ivanti Patch Tuesday for October 2019
Ivanti Patch Tuesday for October 2019
 
April 2019 Patch Tuesday
April 2019 Patch TuesdayApril 2019 Patch Tuesday
April 2019 Patch Tuesday
 
Symbian OS
Symbian OSSymbian OS
Symbian OS
 
Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -
 
Current trends in open source and automotive
Current trends in open source and automotiveCurrent trends in open source and automotive
Current trends in open source and automotive
 
2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil
 
Android before getting started
Android before getting startedAndroid before getting started
Android before getting started
 
Android App Security Solution
Android App Security SolutionAndroid App Security Solution
Android App Security Solution
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
 
What is ThousandEyes Webinar
What is ThousandEyes WebinarWhat is ThousandEyes Webinar
What is ThousandEyes Webinar
 
WebRTC Market Status & Voice/Video Overview
WebRTC Market Status & Voice/Video OverviewWebRTC Market Status & Voice/Video Overview
WebRTC Market Status & Voice/Video Overview
 

More from Craig Heath

DC4420 Bluetooth Security
DC4420 Bluetooth SecurityDC4420 Bluetooth Security
DC4420 Bluetooth SecurityCraig Heath
 
What Security Do You Need From Low-Power Wide-Area Networks?
What Security Do You Need From Low-Power Wide-Area Networks?What Security Do You Need From Low-Power Wide-Area Networks?
What Security Do You Need From Low-Power Wide-Area Networks?Craig Heath
 
The Future of Computer Security and Cybercrime
The Future of Computer Security and CybercrimeThe Future of Computer Security and Cybercrime
The Future of Computer Security and CybercrimeCraig Heath
 
Security Lessons from Bletchley Park and Enigma
Security Lessons from Bletchley Park and EnigmaSecurity Lessons from Bletchley Park and Enigma
Security Lessons from Bletchley Park and EnigmaCraig Heath
 
Security Lessons from Bletchley Park and Enigma
Security Lessons from Bletchley Park and EnigmaSecurity Lessons from Bletchley Park and Enigma
Security Lessons from Bletchley Park and EnigmaCraig Heath
 
Fund Raising with an Android Enigma Machine Simulator
Fund Raising with an Android Enigma Machine SimulatorFund Raising with an Android Enigma Machine Simulator
Fund Raising with an Android Enigma Machine SimulatorCraig Heath
 
Mobile Security Sticks and Carrots
Mobile Security Sticks and CarrotsMobile Security Sticks and Carrots
Mobile Security Sticks and CarrotsCraig Heath
 
People Power in Your Pocket
People Power in Your PocketPeople Power in Your Pocket
People Power in Your PocketCraig Heath
 

More from Craig Heath (8)

DC4420 Bluetooth Security
DC4420 Bluetooth SecurityDC4420 Bluetooth Security
DC4420 Bluetooth Security
 
What Security Do You Need From Low-Power Wide-Area Networks?
What Security Do You Need From Low-Power Wide-Area Networks?What Security Do You Need From Low-Power Wide-Area Networks?
What Security Do You Need From Low-Power Wide-Area Networks?
 
The Future of Computer Security and Cybercrime
The Future of Computer Security and CybercrimeThe Future of Computer Security and Cybercrime
The Future of Computer Security and Cybercrime
 
Security Lessons from Bletchley Park and Enigma
Security Lessons from Bletchley Park and EnigmaSecurity Lessons from Bletchley Park and Enigma
Security Lessons from Bletchley Park and Enigma
 
Security Lessons from Bletchley Park and Enigma
Security Lessons from Bletchley Park and EnigmaSecurity Lessons from Bletchley Park and Enigma
Security Lessons from Bletchley Park and Enigma
 
Fund Raising with an Android Enigma Machine Simulator
Fund Raising with an Android Enigma Machine SimulatorFund Raising with an Android Enigma Machine Simulator
Fund Raising with an Android Enigma Machine Simulator
 
Mobile Security Sticks and Carrots
Mobile Security Sticks and CarrotsMobile Security Sticks and Carrots
Mobile Security Sticks and Carrots
 
People Power in Your Pocket
People Power in Your PocketPeople Power in Your Pocket
People Power in Your Pocket
 

Recently uploaded

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 

Recently uploaded (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 

Smartphone Platform Security - What can we learn from Symbian?

  • 1. Franklin Heath Ltd Smartphone Platform Security What can we learn from Symbian? Craig Heath Independent Security Consultant 15 Jan 2015
  • 2. © Franklin Heath Ltd c b CC BY 3.0 Discussion Points  Was Symbian OS platform security a success?  Did developer difficulties with platform security contribute to Symbian’s downfall?  Could those difficulties have been prevented?  Did Symbian’s platform security have anything better than today’s successful platforms? 15 Jan 2015 2
  • 3. © Franklin Heath Ltd c b CC BY 3.0 Symbian OS Versions 15 Jan 2015 3 Without Platform Security Year Ver. UI Layer Typical Phone 2001 6.0 Series 80 Nokia 9210 2002 6.1 S60 1st Edition+FP1 Nokia 7650 MOAP(S) Fujitsu F2051 7.0 UIQ 2.0 (& 2.1) Sony Ericsson P800 2003 7.0S S60 2nd Edition+FP1 Nokia 6600 2004 8.0a S60 2nd Edition FP2 Nokia 6630 2005 8.1a S60 2nd Edition FP3 Nokia N90 2007 8.1b MOAP(S) Fujitsu F905i With Platform Security Year Ver. UI Layer Typical Phone 2006 9.1 S60 3rd Edition Nokia 3250 UIQ 3.0 Sony Ericsson P990 2007 9.2 S60 3rd Edition FP1 Nokia N95 UIQ 3.1 & 3.2 Motorola Z8 2008 9.3 S60 3rd Edition FP2 Samsung i8510 9.4 S60 5th Edition Nokia 5800 2009 Nokia N97 2010 ^2 MOAP(S) Fujitsu F-07B ^3 S60 Nokia N8 2011 Anna S60 Nokia E6
  • 4. © Franklin Heath Ltd c b CC BY 3.0 Symbian Platform Security Architecture 15 Jan 2015 4  Run-time controls on system and applications  Based on long-established security principles  e.g. “Trusted Computing Base”, “Least Privilege”  Designed for mobile device use cases  low-level, highly efficient implementation  “Capabilities” determine process privileges  checked by APIs which offer security-relevant services  “Data Caging” protects stored data  protected directories for system and for applications  Secure identifiers (“SIDs”) for applications  verified at install-time
  • 5. © Franklin Heath Ltd c b CC BY 3.0 Symbian OS New Malware Strains and Variants Per Month 15 Jan 2015 5 0 2 4 6 8 10 12 14 16 18 New Variant First phones introduced with platform security
  • 6. © Franklin Heath Ltd c b CC BY 3.0 Developer Difficulties 15 Jan 2015 6  Compatibility break  Used as an excuse for fixing accumulated technical debt  Additional complexity  SIDs, data caging, etc.  “How do I know what capabilities I need?”  Difficulty of debugging  “Why can’t you just turn the security off?”  Cost of approval and signing  ...even though it was steadily reduced over time  Delays caused by approval and signing process  Rejections were common
  • 7. © Franklin Heath Ltd c b CC BY 3.0 Aside: Symbian OS C++  Same language and environment for apps as the OS (and/or UI)  In principle allows third party developers to produce powerful apps  ... but harder to work with in-progress documentation and finicky tools  Non-standard C++ “idioms”  Descriptors, active objects, cleanup stack  ANSI exception handling came too late  Technically good (vastly more power efficient)  ... but steep learning curve  Alternatives were either too little (CDC Java, MIDP Java)  ... or too late (PIPS, Qt) 15 Jan 2015 7
  • 8. © Franklin Heath Ltd c b CC BY 3.0 Symbian Signed Capability Groups 15 Jan 2015 8 User Extended (System) Extended (Restricted) Manufacturer LocalServices Location NetworkServices ReadUserData UserEnvironment WriteUserData PowerMgmt ProtServ ReadDeviceData SurroundingsDD SwEvent TrustedUI WriteDeviceData CommDD DiskAdmin NetworkControl MultimediaDD AllFiles DRM TCB
  • 9. © Franklin Heath Ltd c b CC BY 3.0 Symbian Signed Capability Groups 15 Jan 2015 9 Group Additional Capabilities Permitted Unverified Verified with Publisher ID Unsigned or Self-signed Developer Certificate per IMEI(s) Developer Certificate per IMEI(s) Express Signed Certified Signed User 6 install-time user prompt Yes Yes Yes Yes Extended (System) 7 Extended (Restricted) 4 Manufacturer 3 OEM approval OEM approval
  • 10. © Franklin Heath Ltd c b CC BY 3.0 Symbian Signed Costs 15 Jan 2015 10  2004, initially a branding / co-marketing programme  All outsourced costs passed to publisher (could be over $1000 per app)  Most developers were their own publisher  2006, required for “non-user-grantable” platform security capabilities  Standardised testing, lowest price €195  Still required $395 publisher ID annually  2007, reduced costs but increased complexity  Publisher IDs reduced to $200  “Express Signed” $20  subset of “extended” capabilities, self-testing with random auditing afterwards  2010, streamlined test criteria  Express Signed €10, Certified Signed €150  2010, Nokia pays for and performs signing for Ovi Store submissions
  • 11. © Franklin Heath Ltd c b CC BY 3.0 What Could We Have Done Differently?  Needed more clout and/or money  Google were able to ignore operator demands  Apple were able to phase out DRM  Apple were able to subsidise approval process  CA-issued publisher IDs were probably a mistake  Self-signed works for Google Android  Didn’t help us track down malicious actors  Robustness was pretty good  User experience was pretty good 15 Jan 2015 11
  • 12. © Franklin Heath Ltd c b CC BY 3.0 Discussion Points  Was Symbian OS platform security a success?  Did developer difficulties with platform security contribute to Symbian’s downfall?  Could those difficulties have been prevented?  Did Symbian’s platform security have anything better than today’s successful platforms? 15 Jan 2015 12