• PDF / 393,594 Bytes
• 15 Pages / 439.363 x 666.131 pts Page_size
• 25 Downloads / 216 Views

DOWNLOAD

REPORT

Institute of IT Security and Security Law (ISL), University of Passau, Germany 2 SAP Research, Karlsruhe, Germany {bb,jp}@sec.uni-passau.de, [email protected], [email protected]

Abstract. Modern mobile devices come with first class web browsers that rival their desktop counterparts in power and popularity. However, recent publications point out that mobile browsers are particularly susceptible to attacks on web authentication, such as phishing or clickjacking. We analyze those attacks and find that existing countermeasures from desktop computers can not be easily transfered to the mobile world. The attacks’ root cause is a missing trusted UI for security critical requests. Based on this result, we provide our approach, the MobileAuthenticator, that establishes a trusted path to the web application and reliably prohibits the described attacks. With this approach, the user only needs one tool to protect any number of mobile web application accounts. Based on the implementation as an app for iOS and Android respectively, we evaluate the approach and show that the underlying interaction scheme easily integrates into legacy web applications.

1

Introduction

Since the introduction of the original iPhone in 2008, mobile devices are first class citizens in the world of computing. Due to the impressive advances in energy consumption, mobile processor power, and display quality, the majority of the common computing tasks can nowadays be done as easily on a mobile device as on a “real” computer on the desktop. However, while the computational power of the mobile devices is almost comparable to their desktop counterparts, other key differences, in areas such as screen estate, UI paradigms, or operating system induced limitations, remain for the foreseeable future. These differences have a significant impact on the device’s security characteristics: Reduced screen estate results in significant less space for visual security indicators that could help combating phishing attacks [1, 2]. Changed user interaction paradigms allow for different clickjacking variants [3]. Virtual keyboards on mobile devices lead to choosing insecure passwords, due to necessary, uncomfortable context switches between letters, numbers, and special characters [2]. And finally, the current restrictions in mobile operating systems and the lack of an extension model for iOS’ mobile browser render most of the currently proposed attack mitigation tools impossible on mobile devices. As we will explore in Section 2, these limitations especially amplify security threats against mobile web authentication. For this reason, we propose a novel N. Cuppens-Boulahia et al. (Eds.): SEC 2014, IFIP AICT 428, pp. 127–141, 2014. c IFIP International Federation for Information Processing 2014 

128

B. Braun et al.

authorization delegation scheme using a native application, the MobileAuthenticator, that functions as a companion application to the mobile web browser. In this paper, we make the following contributions: – We analyze how common web authentication attack

Recommend Documents

A mobile and portable trusted computing platform

158 41 466KB

A Mobile Trusted Path System Based on Social Network Data

167 93 43MB

Mobile Web Performance Optimization

166 33 7MB

Mobile Web Browsing Using the Cloud

156 41 2MB

A Ticket Based Binding Update Authentication Method for Trusted Nodes in Mobile IPv6 Domain

135 88 37MB

Trusted Web 4.0 - Konzepte einer digitalen Gesellschaft Konzepte de

165 101 1MB

UI Elements

138 86 3MB

UI Design

185 41 9MB

Trusted Traveler

166 108 47MB

Adaptive UI for Enhanced Music Experience

161 115 250KB

Swift UI and Their Integration to MapKit Technology as a Framework for Representing Spatial Information in Mobile Applic

123 14 37MB

Power Efficient Hardware Architecture of SHA-1 Algorithm for Trusted Mobile Computing

152 66 14MB