Software security privacy risks in mobile e commerce
Download
1 / 17

Software Security & Privacy Risks in Mobile E-Commerce - PowerPoint PPT Presentation


  • 99 Views
  • Uploaded on

Software Security & Privacy Risks in Mobile E-Commerce. Kartikeya Kakarala CSCI 5939-Independent Study Wireless Application Protocols. Contents. Introduction New Security & Privacy Risks Addressing the Software Risks Platform Risks Software Application Risks WML Script

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Software Security & Privacy Risks in Mobile E-Commerce' - noelani-mcconnell


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Software security privacy risks in mobile e commerce

Software Security & Privacy Risks in Mobile E-Commerce

Kartikeya Kakarala

CSCI 5939-Independent Study

Wireless Application Protocols


Contents
Contents

  • Introduction

  • New Security & Privacy Risks

  • Addressing the Software Risks

    • Platform Risks

    • Software Application Risks

  • WML Script

  • Security Risks of WML Script

  • Conclusion


Introduction
Introduction

  • M-Commerce : E-Commerce obtained by Accessing the internet through the wireless devices.

  • Major Applications of M-Commerce :

    • Weather Reports,Sport Scores,Flight Info., Navigational Maps,Stock Quotes,email etc.

  • According to Strategy Analytics by 2004, over 1 billion wireless device users, 600 million wireless internet subscribers and a $200 billion mobile e-commerce market is expected.


Introduction cont
Introduction(Cont..)

  • Because of such anticipated growth, new security and privacy risks abound in M-Commerce .

  • Integrating Security and privacy into the M-Commerce applications would give a projected $25 billion market .

  • On the other hand if Security is not properly met than it would cause to significantly dampen the consumer adoption rates.


New security privacy risks
New Security & Privacy Risks

  • New hazards

    • In wireless devices due to their mobility & communication medium.

    • A single malicious domain could potentially compromise wireless devices through malicious downloads or simple denial of service.

    • Rather than an attacker needing to pursue a target, targets can come to attackers in wireless networks by simply roaming through the attacker’s zone.


New security privacy risks cont
New Security & Privacy Risks(Cont..)

  • Most Vendors implementations of the SSL or WTLS do not reauthenticate or recheck certificates once a connection is established.

  • Simply “Refreshing” a browser to re-establish a connection may inadvertently introduce risks by redirection of the URL.

  • Example a hacker can compromise the closest DNS server that route’s a client’s web request from a site ‘X’ and redirect it to the hacker’s site.


New security privacy risks cont1
New Security & Privacy Risks(Cont..)

  • Attacks from the wireless devices would become easy.

  • Another risk unique to mobile devices is the risk of loss or theft.

  • Tracking of users by on-line web usage via Cookies,could lead to loss of privacy.

  • Size &Time limitations make it more unlikely that a user would go through the privacy policies of a web site.


Addressing the software risks
Addressing the Software Risks

  • Security risks of wireless devices must be carefully analyzed and addressed.

  • “WAP gap”

    • wireless requests to web pages are translated at the WAP gateway from the WTLS protocol to SSL protocol, widely used in HTTP requests.

    • If an attacker compromises the WAP gateway, could capture data when decryption is done.

  • WAP gap problem

    • Solved by simple modifications to existing protocols.


Platform risks
Platform Risks

  • Platform or the Operating system

    • The basic infrastructure for running M-Commerce application.

  • Without a secure infrastructure on the device, it is not possible to attain secure M-Commerce.

  • Present Scenario

    • Many manufacturer’s do not provide with all the necessary requirements.


Platform risks cont
Platform Risks(Cont..)

  • Many Manufacturer’s have failed to provide:

    • Memory protection for processes

    • Protected Kernel Rings

    • File Access Control

    • Authentication of principals to resources

    • Differentiated User & process privileges

    • Sandboxes for untrusted code etc.

  • Due to lack of these features the platform becomes vulnerable to attacks.


Platform risks cont1
Platform Risks(Cont..)

  • To address these platform risks,the wireless device platforms need to :

    • Enforce memory protection b/w applications.

    • Strong Authentication mechanisms such as fingerprints recognition systems should be built into the devices.

    • Software certificates should be used to authenticate software to the user before installing on the device.


Software application risks
Software Application Risks

  • Low level languages

    • In handheld devices cause the continuation of basic flaws like Buffer overflow etc.

  • Application developers may forgo security features like encryption etc

    • Due to Limited power, lack of Processing cycles, memory and bandwidth of the devices

    • To increase online performance.

  • Interesting software development

    • The ability to send & execute mobile code.

  • WML script is used to overcome software application risks.


Wml script
WML Script

  • WML Script

    • The WAP equivalent of Java Script.

    • It is used basically to provide a uniform interface to wireless applications.

    • It is used to provide functions independent of the device brand.

  • Achieving Interface functionality & Compatibility uniform for different phones regardless of the brand can be done by the development of WML Script Interpreter.


Security risks of wml script
Security Risks of WML Script

  • The security risks associated with WML Script are based on a fundamental lack of a model for secure computation.

  • WML Script

    • not a type-safe language.

    • Without owner’s knowledge it can be pushed to a device by scheduled pulls from web pages or other WML Scripts.

    • To achieve efficiency,it is compiled into a WML script bytecode downloaded by the client and run on a WML script virtual machine.


Security risks of wml script cont
Security Risks of WML Script(Cont..)

  • WML Script provides access to telephony functions through the WTAI.

  • Access to a phone’s telephony facilities allows online service providers to :

    • Accept/Initiate calls

    • Send/Receive text messages

    • Add/Search/Remove phonebook entries.

    • Examine call logs

    • Send tones during calls etc.

  • To prevent this Permission functions through WTAI should be created.


Conclusion
Conclusion

  • The Goal here was to highlight Key Security & Privacy Risks already apparent in these devices.

  • The Platforms & Languages being developed for wireless devices have failed to adopt fundamental security concepts on Desktop machines.

  • Encrypted Communication protocols are necessary to provide Confidentiality,Integrity and Authentication services for M-Commerce Applications.

  • The best strategy for addressing security would be to implement it on Platform & Applications themselves , rather than to introduce security patches afterwards.


References
References

  • Technical Paper on “Software security & privacy risks in mobile E-Commerce”

    • By Anup K.Ghosh

    • Tara M.Swaminatha

  • www.wapforum.org


ad