Secure Information Technology Center – Austria

Analysis of Modern Cross-platform Development Frameworks for Mobile Applications

Kategorie: eGovernment

This study analyzes which security mechanisms are available in popular cross-platform frameworks. This study covers the two most popular frameworks, Apache Cordova and Xamarin, and additionally Alpha Anywhere. Alpha Anywhere was selected because of the advertised security features. The selected frameworks cover both development approaches, hybrid and interpreded applications. Apache Cordova and Alpha Anywhere create interpreted applications, while Xamarin creates hybrid applications.

Weiter lesen…

Static Analysis of Windows Phone Applications

Kategorie: IT-Security

The objective of the project was to analyse a number of Windows Phone Apps on common security issues. It started with the manual analysis of selected applications. Soon it became evident that many of the analysis steps can be easily automated to save time. Another observation was that several applications suffer from similar security issues.
Weiter lesen…

Browser Plugin to interact with SkyTrust

Kategorie: IT-Security

Online services for data storage (e.g. Dropbox, Google Drive) provide no ability to encrypt stored data prior to the actual upload process. Desktop programs of third-party vendors are in principle capable of supplying this functionality. However, these applications are likely not available for specific (mobile) operating systems or fail to protect sensitive key material adequately. As a consequence, in this project a browser plugin for Google Chrome has been elaborated as a proof-of-concept which rewrites existing browser interfaces in order to insert a transparent encryption layer. Instead of relying on tertiary desktop applications, cryptographic operations are performed on a secure platform, named Skytrust, which also protects the used key material. The advantage of this apporach is that existing web applications require no adaptation in order to cryptographically protect a user’s data. Weiter lesen…

Platform Independent CMA System

Kategorie: Cloud Computing, IT-Security

Despite their continuously growing popularity, mobile end-user devices still suffer from limited computing resources. This complicates the use of complex mobile applications that require resource-intensive computations.
Recently, several frameworks have been developed that enable mobile applications to follow the cloud-based mobile augmentation (CMA) approach. This approach defines a strategy to dynamically outsource resource-intensive tasks to external resources. None of the existing frameworks focuses on cross-platform applicability and interoperability issues. It turns out that all of the existing frameworks are tailored to specific platforms and specific operating systems. Furthermore, security is not tackled at all by any of the frameworks.
Weiter lesen…

Static analysis of selected Android applications

Kategorie: IT-Security

In this project, it has been analyzed on how a set of selected applications is capable of overcoming real-world threats. Based on current attack vectors, we have derived concrete inspection criteria and applied them on our dataset. As a result, it was feasible to uncover deficiencies in 8 of 10 analyzed applications. The found issues significantly undermine the achievable security level and can lead to the exposure of secrets and the leak of sensitive data to unrelated parties. Weiter lesen…

Firefox plugin highlighting security information

Kategorie: IT-Security

Typically, browsers keep the display of security-related information about called web pages to a minimum. While it is clearly indicated whether the connection to a server is encrypted, more fine-grained information is not printed or can only be retrieved by overcoming hurdles.

As a consequence, the objective of this project consisted in developing an extensible addon for Mozilla Firefox which inspects called domains regarding security-critical aspects and summarizes the results for security-affine users. Weiter lesen…

21

July

2015

Apache Cordova Cryptography Plugin

Kategorie: eGovernment

This project implements a cryptography plugin for the Cross-Platform Framework Apache Cordova. The plugin is currently available for Android only. The plugin implements the Web Crypto API. Therefore, cryptographic methods can be invoked using the interface provided by the Web Crypto API. The cryptographic methods are implemented natively and cryptographic keys are stored using the on-device key storage facilities. As many Android devices use a KeyStore backed by a Secure Element, this cryptography plugin provides protection against software attacks on the key material.

Weiter lesen…

20

June

2015

Analysis of Windows Phone Applications

Kategorie: IT-Security

This document provides an overview of current possibilities regarding application analysis on the Windows Phone 8 and 8.1 platform. For this, it lists possibly application sources, explains the different Windows Phone unlocking stages and finally it describes possible analysis methods. The document is meant to be a short study on these two aspects, reference to further, more comprehensive work is made. It concludes that the Windows platform and its applications offer great possibilities regarding application analysis.

Weiter lesen…

TPMv2 Analysis

Kategorie: IT-Security

The “Trusted Computing” technology offers interesting  concepts and methods to increase the trustworthiness of connected systems. By adding a new component to a computer, it is possible to watch the behaviour of the computer and protect it from unwanted behaviour caused by malicious software. Trusted Computing does not only protect local systems, it also helps to attest the state of a remote system. In 2009 A-SIT evaluated “Trusted Computing” and its central component the Trusted Platform Module. The study (DE) engaged on the TPM v1.2, which was enrolled to the mass market.

Recently the Trusted Computing Group introduced the updated TPM v2 specification. While the new version is not yet integrated into mass-market systems, some manufactures provide first chip samples. A-SIT analysed the TMPv2 specifications and synthesized a TPM v2 emulator from the specifications. The results are currently prepared and will be released soon.

Cloud-based Mobile Augmentation Systems

Kategorie: Cloud Computing

Since the emergence of mobile devices, researches are working on techniques to overcome their resource constraints and try to augment the devices with additional resources and computing power. One of the first techniques is called Cyber Foraging, where resource intensive tasks are offloaded to surrounding devices. Linked with the emerging field of cloud computing, new possibilities arise. This document provides a survey of existing offloading mechanisms and highlights there pros and cons. Further it is scrutinized on security related aspects with a special focus on cloud computing.

Weiter lesen…