We are putting ever more trust in mobile devices. We use them for e-commerce and banking, whether through a web browser or specialized apps. Such apps hold high-value credentials and process sensitive data that need to be protected.
Meanwhile, mobile phone OSes are untrustworthy. While in principle they attempt to be more secure than desktop OSes (e.g., by preventing modified OSes from booting, by using safer languages, or by sand boxing mechanisms for third-party apps such as capabilities ), in practice they are still fraught with vulnerabilities.
Mobile OSes are as complex as desktop OSes. Isolation and sandboxing provided by the OS is routinely broken, such as Apple iOS jail-breaking by clicking a button on a web page. Mobile OSes often share code with open source OSes such as GNU/Linux, but often lag behind in applying security fixes, meaning that attackers need only look at recent patches to the open-source code to find vulnerabilities in the mobile device’s code.
Therefore, there is a need for isolation and security primitives exposed to application developers in such a way that they need not trust the host OS. We argue that this problem is severe enough to have garnered significant attention outside of the security community.
Demand for mobile applications with stronger security requirements has given rise to add-on hardware with strongersecurity properties. This situation is unfortunate, given that many current mobile devices already have hardware support for isolated execution environments and other security features. However, these features are not made available toall parties who may benefit from their presence.
Our goal in this paperis to systematize deployed (or readily available) hardware security features, and to provide an extensive and realistic evaluation of existing (largely academic) proposals for multiplexing these features amongst all stake-holders.We define a set of security features that may be useful for application developers that need to process sensitive data. Our focus is on protecting secrets belonging to the user, such as credentials used to authenticate to online services and locally cached data.
We provide an overview of hardware security features available on today’s mobile platforms. We show that hardware security features that can provide the desired properties to application developers are prevalent, but they are typically not accessible in COTS devices’ default configurations.
We then move on to evaluate existing proposals (given the hardware security features available on mobile devices) for creating a trustworthy execution environment that is able tosafely run sensitive applications that are potentially considered untrustworthy by other stake-holders.
We show that multiplexing these secure execution environments for mutually-distrusting sensitive applications is quite possible if the threat model for application developers and users is primarily software-based attacks.
Finally, we provide an end-to-end analysis and recommendations for the current best practices for making the most of mobile hardware-based security features, from the points of view of each stake-holder.
Unfortunately, without firmware or software changes by OEMs and carriers, individual application developers today have little opportunity to leverage the hardware security primitives in today’s mobile platforms. The only real options are either to partner with a mobile platform integrator, to distribute a customized peripheral (e.g., a smart-card-like device that can integrate with aphone, such as a storage card with additional functionality ), or to purchase unlocked development hardware.
We provide recommendations for OEMs and carriers for how they can make hardware-based security capabilities more readily accessible to application developers without compromising the security of their existing uses.
To read this external content in full, download the complete paper from the author archives.