A Fuzzing Framework for the Security Evaluation of NDEF Message Format

In the very near future, the vast majority of mobile phones will be NFC-enabled. The NFC technology, other than adding extra features to mobile devices, adds a new way for attackers to break into these. The aim of this paper is to draw the attention to one aspect related to the security of NFC devices, the NFC Data Exchange Format (NDEF). In this paper will be introduced techniques for testing NDEF, as well as to propose a new solution for fuzz testing NDEF on smart phones.JRC.G.7-Digital Citizen Securit

MobiLeak : Security and Privacy of Personal Data in Mobile Applications

Smartphones and mobile applications have become an essential part of our daily lives. People always carry their smartphones with them and rely on mobile applications for most of their tasks: from checking emails for personal or business purposes, to engaging in social interactions via social networks, from trading online or checking their bank accounts to communicating with families and friends through instant messaging applications. It is therefore clear to anyone that these devices and these applications handle, store and process a huge amount of people’s personal data, and therefore confidential and sensitive. Whether the person is famous or not, whether he/she is an important public personality or not, whether he or she manages and possess a big amount of money or not, the protection of his/her personal data should be of great importance, since threats can target anyone, with consequences ranging from defamation of person to economic losses due to a compromised bank account, to identity theft, location tracking, and many more. In this scenario it becomes very important that mobile applications are a) secure from a program code point of view, written following secure coding and Secure Software Development Life Cycle (S- SDLC) guidelines and best practices, and b) capable of handling, storing and processing user data in a proper and stringently secure manner to maintain user’s privacy. Secure Coding and S-SDLC concepts are well known and have been inherited from the classical software engineering development domain, although not too much widespread and applied in the mobile world. However, even the most secure application, from a code point of view, can pose threat to the security and privacy of users if the data are not handled properly. An application very well written from a code point of view (i.e. without presence of evident bug which may lead to its exploitability) may, for example, store user credentials or other personal data in plaintext inside the device. In case that a device is lost, stolen or compromised via other channels (i.e. other vulnerable applications or through the mobile OS itself), those data are completely exposed. A simple, standard vulnerability or penetration test against the application may not reveal such vulnerability. Thus, this thesis addressed and solved the problems related to the following three research questions for mobile environment and applications: What are data and where can such data exist? How is personal data handled? How can one properly assess the security and privacy of mobile applications? The research work started with studying and identifying every possible state at which data can exist, which is a fundamental prerequisite in order to be able to properly treat them. The lack of understanding of this aspect is where most of the existing approaches failed by focusing mainly on finding bugs in the code instead of looking at sources and transfers of data too. After this step, we analysed how real life mobile applications and operating systems handle users’ personal data for each of the states previously identified. Based on the results of these two steps, we developed a novel methodology for analysis of security and privacy level of mobile applications, which focuses more on user data instead of application code and its architecture. The methodology, which we named MobiLeak, also combined concepts and principles from the digital forensics discipline. Some of the solutions presented in this dissertation may sound a bit more obvious compared to when they have been developed within the MobiLeak Methodology. However, this research work started in January 2011 and back in 2010, when the research proposal that led to this Ph.D. was presented, the mobile application security landscape was quite different, at a very early rudimentary stage. At that time iPhone 4 and iOS4 had just been released; now we have reached iPhone 6 and iOS8. In December 2010 the first Near Field Communication (NFC) enabled smartphone was released, the Samsung Google Nexus S. Until that moment the only mobile phone (not smartphone) with NFC capabilities was a particular version of the Nokia 6131 released in 2006. Incredibly enough, at that time there were not yet publicly known Android malware. In fact, the first Android Trojans, FakePlayer and DroidSMS, were discovered in August 2010 and now, according to a recent report released by the security firm Kaspersky1 in February 2015, the number of financial malware attacks against Android counts up to 2,317,194 in 2014. Part of the significant contribution from the research work reported in this dissertation, was in the initial development of the Mobile Security Testing Guidelines developed by Open Web Application Security Project (OWASP) for the Mobile Security Project, pushing the need of mobile digital forensics methodology to be a mandatory part of a mobile application security assessment methodology. It also contributed to the works of the European Telecommunications Standards Institute (ETSI) and the International Organization for Standardization (ISO/IEC SC 27) committees related to digital forensics and, last but not least, it resulted in eleven peer-reviewed publications, one book chapter and one book co-authored. For this Ph.D., a three year grant was given from the Joint Research Centre of the European Commission (Grantholder cat. 20). As a result, the research activities for the three year period have been carried out at the Institute of Protection and Security of the Citizen, Digital Citizen Security Unit, in Ispra, Italy. QC 20150520</p

MobiLeak : A System for Detecting and Preventing Security and Privacy Violations in Mobile Applications

QC 20131118</p

A Cognitive access framework for security and privacy protection in mobile cloud computing

Information systems and wireless communications are becoming increasingly present in the everyday life of citizens both from a personal and business point of view. A recent development in this context is Mobile Cloud Computing (MCC), which is the combination of Cloud Computing and pervasive mobile networks. The objectives of this book chapter are as follows: a) First, ensuring the preservation of privacy can be difficult in MCC. Therefore, this study provides an overview of the main challenges in ensuring privacy in MCC and surveys the most significant contributions from the research community. b) The second objective is to introduce and describe a new framework for privacy protection based on the concepts of Virtual Object (VO) and Composite Virtual Object (CVO), where data are encapsulated and protected using a sticky policy approach and a role-based access model. The proposed iCore framework is compared to the privacy challenges described in the first objective.JRC.G.7-Digital Citizen Securit

Picture-to-Identity linking of social network accounts based on Sensor Pattern Noise

The widespread diffusion of digital imaging devices fuelled a growing interest on photo sharing through social networks. Nowadays, Internet users continuously leave visual 'traces' of their presence and life on the Internet, which can constitute precious data for forensic investigators. Digital Image Forensics tools are used to analyse such images and collect evidences. One of such tools is the Sensor Pattern Noise (SPN), that is, an unique 'fingerprint' left on a picture by the source camera sensor. In this paper, we propose and experimentally test a novel usage of SPN, to find social network accounts belonging to a person of interest, who has shot a given photo. We name this task Picture-to-Identity linking, and believe it can be useful in a variety of forensic cases, e.g., finding stolen camera devices, cyber-bullying, or on-line child abuse. We evaluate two methods for Picture-to-Identity linking based on two existing SPN comparison techniques, on a benchmark data set of publicly accessible social network accounts collected from the Internet. The reported results are promising and show that such technique has a practical value for forensic practitioners.JRC.G.6-Digital Citizen Securit

Secure Bluetooth for Trusted m-Commerce

Bluetooth is a wireless short-range communication technology, intended to replace the wires and cables connecting portable or fixed electronic devices. Created by telecom vendor Ericsson in 1994, from the first Bluetooth enabled de-vice in 1999, to 2008 more than 2 billion devices were using Bluetooth. In 2010 have been sold 906 million mobile phones Bluetooth enabled, and in 2011 there were more than 40 million Bluetooth enabled health and medical devices on the market. Still in 2011, one third of all new vehicles produced worldwide included Bluetooth technology. This pa-per will give first an overview on the general characteristics of Bluetooth technology today. It will go then deeper in the analysis of Bluetooth stack’s layers and the security features offered by the specifications. In the last part of the paper known vulnerabilities and potential threats will be presented, as well as a comprehensive list of known attacks. The pa-per concludes with the proposal of a design for Secure Architecture for Bluetooth-Enhanced Mobile “Smart” Commerce Environments.JRC.G.7-Digital Citizen Securit

The MobiLeak Project: Forensics Methodology for Mobile Application Privacy Assessment

When talking about privacy, we talk about infor- mation, about data. There are several aspects that have to be considered when aiming to assess the privacy level of an application. These aspects are the states in which data can exist: data at rest, data in use and data in transit. Each of these require different methodologies and technologies in order to be properly addressed. This paper focuses on the state where data are at rest. It will be shown how common mobile forensics methodologies and tools can be used to assess the privacy level of mobile applications, and therefore how mobile applications store and manage personal information.JRC.G.7-Digital Citizen Securit

Secure Bluetooth for Trusted m-Commerce

Our today’s world is becoming digital and mobile. Exploiting the advantages of wireless communication protocols is not only for telecommunication purposes, but also for payments, interaction with intelligent vehicles, etc. One of the most widespread wireless capabilities is the Bluetooth protocol. Just in 2010, 906 million mobile Bluetooth enabled phones had been sold, and in 2011, there were more than 40 million Bluetooth enabled health and medical devices on the market. Still in 2011, one third of all new vehicles produced worldwide included Bluetooth technology. Security and privacy protection is key in the digital world of today. There are security and privacy risks such as device tracking, communication eavesdropping, etc., which may come from improper Bluetooth implementation with very severe conse- quences for the users. The objective of this paper is to analyze the usage of Bluetooth in m-commerce and m-payment fields. The steps undertaken in this paper in order to come to a proposal for a secure architecture are the analysis of the state of the art of the relevant specifications, the existing risks and the known vulnerabilities the related known attacks. Therefore, we give first an overview of the general characteristics of Bluetooth technology today, going deeper in the analysis of Bluetooth stack’s layers and the security features offered by the specifications. After this analysis of the specifications, we study how known vulnerabilities have been exploited with a comprehensive list of known attacks, which poses serious threats for the users. With all these elements as background, we conclude the paper proposing a design for Secure Architecture for Bluetooth-Enhanced Mobile “Smart” Commerce Environments.Qc 20140205</p

Data-in-Use leakages from Android Memory - Test and Analysis

Due to their increasing pervasiveness, smartphones and more in general mobile devices are becoming the citizen’s companions in the daily life activities. Smartphones are today the repositories of our secrets (photos, email), of our money (online e-commerce) and of our identities (social networks accounts). Therefore mobile applications have the responsibility of handling such sensitive and personal information in a proper, secure way. This paper present the second phase of the MobiLeak project, analysing how mobile applications manage users data when these are loaded in the volatile memory of the device. Scope of this work is to raise the awareness of the research and development communities on the poor attention that is generally paid in the secure development of mobile applications.JRC.G.7-Digital Citizen Securit

Data-in-use leakages from Android memory - Test and analysis

Due to their increasing pervasiveness, smartphones and more in general mobile devices are becoming the citizen’s companions in the daily life activities. Smartphones are today the repositories of our secrets (photos, email), of our money (online e-commerce) and of our identities (social networks accounts). Therefore mobile applications have the responsibility of handling such sensitive and personal information in a proper, secure way. This paper present the second phase of the MobiLeak project, analysing how mobile applications manage users data when these are loaded in the volatile memory of the device. Scope of this work is to raise the awareness of the research and development communities on the poor attention that is generally paid in the secure development of mobile applications.QC 20131219</p