Mobile applications approaches using near field communication support

Nowadays, the society is constantly evolving technologically and new products and technologies appears every day. These technologies allow the well-being of societies and their populations. Mobile gadgets evolution, mainly the smartphones, has always been at the forefront, everyday new devices appear and with them, more recent technologies. These technologies provide a better quality of life of everybody who uses them. People need to have at their disposal a whole array of new features that make their life increasingly more easily. The use of gadgets to simplify the day-to-day is growing and for this people use all disposal types of devices, such as computers, laptops, file servers, smartphones, tablets, and among of others. With the need to use all these devices a problem appears, the data synchronization and a way to simplify the usage of smartphones. What is the advantage of having so much technology available if we need to concern about the interoperability between all devices? There are some solutions to overcome these problems, but most often the advantage brought by these technologies has associated some setup configurations and time is money. Near field communication (NFC) appeared in 2004 but only now has gained the market dominance and visibility, everybody wants to have a NFC based solution, like Google, Apple, Microsoft and other IT giants. NFC is the best solution to overcome some problems like, file synchronization, content sharing, pairing devices, and launch applications without user interaction. NFC arises as a technology that was forgotten, but it has everything to win in every global solutions and markets. In this dissertation two based solutions are presented, an application to transfer money using NFC and an application launcher. Both solutions are an innovation in market because there are nothing like these. A prototype of each application was build and tested. NFC Launcher is already in Android Market. NFC Launcher and Credit Transfer were built, evaluated and are ready for use

TechNews digests: Jan - Nov 2009

TechNews is a technology, news and analysis service aimed at anyone in the education sector keen to stay informed about technology developments, trends and issues. TechNews focuses on emerging technologies and other technology news. TechNews service : digests september 2004 till May 2010 Analysis pieces and News combined publish every 2 to 3 month

RFID Security and Privacy

The European Commission has published in May 2009 a recommendation "on the implementation of privacy and data protection principles in applications supported by radio-frequency identification", which is designed to provide "guidance to Member States on the design and operation of RFID applications in a lawful, ethical and socially and politically acceptable way, respecting the right to privacy and ensuring protection of personal data." This recommendation requires RFID operators to conduct a "Privacy and Data Protection Impact Assessment" before an RFID application is deployed, and make its results available to the competent authority. The RFID recommendation is also designed to promote "information and transparency on RFID use", in particular through the development of "a common European sign developed by European Standardisation Organisations, with the support of concerned stakeholders", designed "to inform individuals of the presence of readers". The RFID PIA (Privacy and Impact Asssessment) process aims to reach several objectives: * to favour "privacy by design" by helping data controllers to address privacy and data protection before a product or service is deployed, * to help data controllers to address privacy and data protection risks in a comprehensive manner. an opportunity to reduce legal uncertainty and avoid loss of trust from consumers, * to help data controllers and data protection authorities to gain more insight into the privacy and data protection aspects of RFID applications. The industry has proposed a RFID PIA framework which classifies a RFID application into 4 possible levels: Level 0 applications, which essentially cover RFID applications that do not process personal data and where tags are only manipulated by users, and which are rightly excluded from conducting a PIA. Level 1 applications cover applications where no personal data is processed, yet tags are carried by individuals. Level 2 applications process personal data but where tags themselves do not contain personal data. Level 3 applications where tags contain personal data. If the RFID application level is determined to be 1 or above, the RFID operator is then required to conduct a four part analysis of the application, with a level of detail that is proportionate to identified privacy and data protection implications. The first part is used to describe the RFID application. The second part allows highlighting control and security measures. The third part addresses user information and rights. The final part of the proposed PIA framework requires the RFID operator to conclude whether or not the RFID application is ready for deployment. As a result of the PIA process, the RFID operator will produce a PIA report that will be made available to the competent authority. For the industry, only levels 2 and 3 are to be submitted to a PIA because it considers that information contained in a tag at level 1 are not personal. However level 1 arises concerns of Article 29 Working Party because tagged items carried by a person contain unique identifiers that could be read remotely. In turn, these unique identifiers could be used to recognize that particular person through time. It raises the possibility that a person will be tracked without his knowledge by a third party. When a unique identifier is associated to a person, it falls in the definition of personal data set forth in Directive 95/46/EC, regardless of the fact that the "social identity" (name, address, etc.) of the person remains unknown (i.e. he is "identifiable" but not necessarily "identified"). Additionally, the unique number contained in a tag can also serve as a means to remotely identify the nature of items carried by a person, which in turn may reveal information about social status, health, or more. Thus, even in those cases where a tag contains solely a number that is unique within a particular context, and no additional personal data, care must be taken to address potential privacy and security issues if this tag is going to be carried by persons. The Working Party has urged the industry to fully address this issue, by clearly mentioning it in the framework as part of a revised risk assessment approach for level 1. This chapter will address the issue of protecting privacy of RFID tag carriers in a privacy by design model which puts them in a position to decide if they accept or not to be tracked at level 1. In case of a negative decision, tags have to be deactivated. Security measures have also to be taken to protect personal information on RFID tags against information leak which could lead to identity theft

Financial Technologies: a Note on Mobile Payment

The financial market is currently disrupted by the rise of new technologies "FinTech” a short form for financial technology, which profoundly reshapes the financial intermediary structure and makes financial services more efficient. Mobile technology with Internet-enabled devices are the next logical phase of the World Wide Web campaign such as mobile phone taking over the mass market and will fundamentally change the way products are buy and sell as well as financial services especially the mobile payment system. This research examines changes payment method in financial services, particularly those involving mobile payments that can create new channels for consumers to purchase goods and services using mobile phone. Mobile payment application is ready to replace traditional cash, checks, credit and debit card throughout the country. In this stage of development, the current situation of mobile payment market, review the previous literature on mobile payment services, analysis use of mobile payment worldwide and various initiatives use mobile phones to offer financial services for those ‘unbanked\u27

Segurança e privacidade em terminologia de rede

Security and Privacy are now at the forefront of modern concerns, and drive a significant part of the debate on digital society. One particular aspect that holds significant bearing in these two topics is the naming of resources in the network, because it directly impacts how networks work, but also affects how security mechanisms are implemented and what are the privacy implications of metadata disclosure. This issue is further exacerbated by interoperability mechanisms that imply this information is increasingly available regardless of the intended scope. This work focuses on the implications of naming with regards to security and privacy in namespaces used in network protocols. In particular on the imple- mentation of solutions that provide additional security through naming policies or increase privacy. To achieve this, different techniques are used to either embed security information in existing namespaces or to minimise privacy ex- posure. The former allows bootstraping secure transport protocols on top of insecure discovery protocols, while the later introduces privacy policies as part of name assignment and resolution. The main vehicle for implementation of these solutions are general purpose protocols and services, however there is a strong parallel with ongoing re- search topics that leverage name resolution systems for interoperability such as the Internet of Things (IoT) and Information Centric Networks (ICN), where these approaches are also applicable.Segurança e Privacidade são dois topicos que marcam a agenda na discus- são sobre a sociedade digital. Um aspecto particularmente subtil nesta dis- cussão é a forma como atribuímos nomes a recursos na rede, uma escolha com consequências práticas no funcionamento dos diferentes protocols de rede, na forma como se implementam diferentes mecanismos de segurança e na privacidade das várias partes envolvidas. Este problema torna-se ainda mais significativo quando se considera que, para promover a interoperabili- dade entre diferentes redes, mecanismos autónomos tornam esta informação acessível em contextos que vão para lá do que era pretendido. Esta tese foca-se nas consequências de diferentes políticas de atribuição de nomes no contexto de diferentes protocols de rede, para efeitos de segurança e privacidade. Com base no estudo deste problema, são propostas soluções que, através de diferentes políticas de atribuição de nomes, permitem introdu- zir mecanismos de segurança adicionais ou mitigar problemas de privacidade em diferentes protocolos. Isto resulta na implementação de mecanismos de segurança sobre protocolos de descoberta inseguros, assim como na intro- dução de mecanismos de atribuiçao e resolução de nomes que se focam na protecçao da privacidade. O principal veículo para a implementação destas soluções é através de ser- viços e protocolos de rede de uso geral. No entanto, a aplicabilidade destas soluções extende-se também a outros tópicos de investigação que recorrem a mecanismos de resolução de nomes para implementar soluções de intero- perabilidade, nomedamente a Internet das Coisas (IoT) e redes centradas na informação (ICN).Programa Doutoral em Informátic

Forder Application

Dissertação de Mestrado em Engenharia InformáticaIn Portugal eating out is a part of the lifestyle. People meet in coffee shops and restaurants, creating business opportunities for the owners of the places. In the summer season there are many bars that open their terrace service. Like many business, there are some ‘quiet times’ during the day – moments, when the place doesn’t receive so many clients. This project proposes an idea on how to maintain the efficiency of the outdoor service with possibly lower costs for the company. The application presented in the given project enables clients to make their requests directly from the table using a cellphone. In the next step the employee receives a notification with the request and he can prepare and deliver the order. Combining Proximity Communication Technologies and a web and mobile application, the communication between a client and an employee may turn out to be fast and comfortable. This solution can have an impact on the number of employees during a calmer time. It is also expected that the client will be able to receive his order in the faster way, through the implemented innovation

NFC based remote control of services for interactive spaces

Ubiquitous computing (one person, many computers) is the third era in the history of computing. It follows the mainframe era (many people, one computer) and the PC era (one person, one computer). Ubiquitous computing empowers people to communicate with services by interacting with their surroundings. Most of these so called smart environments contain sensors sensing users’ actions and try to predict the users’ intentions and necessities based on sensor data. The main drawback of this approach is that the system might perform unexpected or unwanted actions, making the user feel out of control. In this master thesis we propose a different procedure based on Interactive Spaces: instead of predicting users’ intentions based on sensor data, the system reacts to users’ explicit predefined actions. To that end, we present REACHeS, a server platform which enables communication among services, resources and users located in the same environment. With REACHeS, a user controls services and resources by interacting with everyday life objects and using a mobile phone as a mediator between himself/herself, the system and the environment. REACHeS’ interfaces with a user are built upon NFC (Near Field Communication) technology. NFC tags are attached to objects in the environment. A tag stores commands that are sent to services when a user touches the tag with his/her NFC enabled device. The prototypes and usability tests presented in this thesis show the great potential of NFC to build such user interfaces

Pervasive Services for Flexible Spaces

Shared spaces are increasingly being used in working environments to cope with the limitations in the available facilities, in terms of both square meters and costs. One important example of shared resource is represented by a meeting room that can be booked and used by several actors, for instance, companies co-located in a business hub. To this end, current reservation systems have several limitations. First, access control is not really enforced based on the owner of the booking. Second, it is difficult to monitor the utilization of resources unless occupancy sensors are deployed, thus incurring in additional costs. In this thesis we have realized a cloud-based reservation and access system for shared rooms. Our solution is based on an electronic lock and a digital sign together with a reservation server. Users can book a room by using third-party authentication and can access the room by a simple and usable method that involves scanning a QR Code with a mobile phone. We have designed the sys- tem architecture and have implemented the service by using modern mobile web technologies. We have also analyzed the economic feasibility of our approach and developed a supporting business model. Our system has been piloted in the Learning Hub of the Computer Science library as part of the Flexible Spaces Service project sponsored by the EIT ICT Labs

SECURITY AND PRIVACY ASPECTS OF MOBILE PLATFORMS AND APPLICATIONS

Mobile smart devices (such as smartphones and tablets) emerged to dominant computing platforms for end-users. The capabilities of these convenient mini-computers seem nearly boundless: They feature compelling computing power and storage resources, new interfaces such as Near Field Communication (NFC) and Bluetooth Low Energy (BLE), connectivity to cloud services, as well as a vast number and variety of apps. By installing these apps, users can turn a mobile device into a music player, a gaming console, a navigation system, a business assistant, and more. In addition, the current trend of increased screen sizes make these devices reasonable replacements for traditional (mobile) computing platforms such as laptops. On the other hand, mobile platforms process and store the extensive amount of sensitive information about their users, ranging from the user’s location data to credentials for online banking and enterprise Virtual Private Networks (VPNs). This raises many security and privacy concerns and makes mobile platforms attractive targets for attackers. The rapid increase in number, variety and sophistication of attacks demonstrate that the protection mechanisms offered by mobile systems today are insufficient and improvements are necessary in order to make mobile devices capable of withstanding modern security and privacy threats. This dissertation focuses on various aspects of security and privacy of mobile platforms. In particular, it consists of three parts: (i) advanced attacks on mobile platforms and countermeasures; (ii) online authentication security for mobile systems, and (iii) secure mobile applications and services. Specifically, the first part of the dissertation concentrates on advanced attacks on mobile platforms, such as code re-use attacks that hijack execution flow of benign apps without injecting malicious code, and application-level privilege escalation attacks that allow malicious or compromised apps to gain more privileges than were initially granted. In this context, we develop new advanced code re-use attack techniques that can bypass deployed protection mechanisms (e.g., Address Space Layout Randomization (ASLR)) and cannot be detected by any of the existing security tools (e.g., return address checkers). Further, we investigate the problem of application-level privilege escalation attacks on mobile platforms like Android, study and classify them, develop proof of concept exploits and propose countermeasures against these attacks. Our countermeasures can mitigate all types of application-level privilege escalation attacks, in contrast to alternative solutions proposed in literature. In the second part of the dissertation we investigate online authentication schemes frequently utilized by mobile users, such as the most common web authentication based upon the user’s passwords and the recently widespread mobile 2-factor authentication (2FA) which extends the password-based approach with a secondary authenticator sent to a user’s mobile device or generated on it (e.g, a One-time Password (OTP) or Transaction Authentication Number (TAN)). In this context we demonstrate various weaknesses of mobile 2FA schemes deployed for login verification by global Internet service providers (such as Google, Dropbox, Twitter, and Facebook) and by a popular Google Authenticator app. These weaknesses allow an attacker to impersonate legitimate users even if their mobile device with the secondary authenticator is not compromised. We then go one step further and develop a general attack method for bypassing mobile 2FA schemes. Our method relies on a cross-platform infection (mobile-to-PC or PC-to-mobile) as a first step in order to compromise the Personal Computer (PC) and a mobile device of the same user. We develop proof-of-concept prototypes for a cross-platform infection and show how an attacker can bypass various instantiations of mobile 2FA schemes once both devices, PC and the mobile platform, are infected. We then deliver proof-of-concept attack implementations that bypass online banking solutions based on SMS-based TANs and visual cryptograms, as well as login verification schemes deployed by various Internet service providers. Finally, we propose a wallet-based secure solution for password-based authentication which requires no secondary authenticator, and yet provides better security guaranties than, e.g., mobile 2FA schemes. The third part of the dissertation concerns design and development of security sensitive mobile applications and services. In particular, our first application allows mobile users to replace usual keys (for doors, cars, garages, etc.) with their mobile devices. It uses electronic access tokens which are generated by the central key server and then downloaded into mobile devices for user authentication. Our solution protects access tokens in transit (e.g., while they are downloaded on the mobile device) and when they are stored and processed on the mobile platform. The unique feature of our solution is offline delegation: Users can delegate (a portion of) their access rights to other users without accessing the key server. Further, our solution is efficient even when used with constraint communication interfaces like NFC. The second application we developed is devoted to resource sharing among mobile users in ad-hoc mobile networks. It enables users to, e.g., exchange files and text messages, or share their tethering connection. Our solution addresses security threats specific to resource sharing and features the required security mechanisms (e.g., access control of resources, pseudonymity for users, and accountability for resource use). One of the key features of our solution is a privacy-preserving access control of resources based on FoF Finder (FoFF) service, which provides a user-friendly means to configure access control based upon information from social networks (e.g., friendship information) while preserving user privacy (e.g., not revealing their social network identifiers). The results presented in this dissertation were included in several peer-reviewed publications and extended technical reports. Some of these publications had significant impact on follow up research. For example, our publications on new forms of code re-use attacks motivated researchers to develop more advanced forms of ASLR and to re-consider the idea of using Control-Flow Integrity (CFI). Further, our work on application-level privilege escalation attacks was followed by many other publications addressing this problem. Moreover, our access control solution using mobile devices as access tokens demonstrated significant practical impact: in 2013 it was chosen as a highlight of CeBIT – the world’s largest international computer expo, and was then deployed by a large enterprise to be used by tens of thousands of company employees and millions of customers