You are on page 1of 27

Feature Operating System

Language Support

Encryption APIs

iPhone OS

iPhone Apps can only be iPhone provides a Common Crypto developed in Objective-C. The library in the libSystem dynamic applications can invoke C library. CFNetwork is a high-level libraries and C code. API that can be used by applications to create and maintain secure data streams and to add authentication information to a message. Block Encryption and decryption is also supported by the Supported by the Certificate, Key and Trust Services API. Storage encryption can be achieved using KeyChain API.

Blackberry

The BlackBerry device supports MIDlets (Java applications that use standard MIDP and CLDC APIs only) and Java applications that use the BlackBerry APIs.

The RIM crypto API supports a wide range of asymmetric, symmetric and hashing algorithms. It has a Key Store API and a Messaging API that is CMS compliant.

Android

All apps are written in Java Does not have support for deviceand executed within a custom level encryption. However, JVM called Dalvik Virtual supports the javax.crypto API for Machine. Development in C is creating encryption capable possible but apps have to be applications. Bouncycastle's J2ME externally compiled and then provider comes bundled with loaded. Android.

Symbian Platform

Applications can be developed for Symbian using C++ or J2ME. Using Symbian's Web Runtime Tools that support HTML/ JavaScript/ CSS, web applications can be developed, distributed and installed on Symbian devices.

Supports the Security and Trust Services API (SATSA) for Java ME that defines a set of APIs that allows applications to communicate with and access functionality, secure storage and cryptographic operations provided by security elements. Supports the SATSA-CRYPTO package to enable symmentric and asymmetric cryptography. Also has C++ classes for OS based encryption and decryption. Another alternative is use of Bouncycastle's Lightweight Crypto API.

writing native code with cryptographic security to their Visual C++ applications.NET Compact Cryptographic Service Providers Framework (CSP). .writing Managed code that the form of Cryptography APIs and works with the . password that is itself encrypted and stored using the Device Lock PIN.Server-side code that can be deployed using Internet Windows Phone also supports Explorer Mobile or a mobile Device Encryption which allows client on the user's device. . These are available in . encryption os internal as well as There is no J2ME version for external memory cards using a Windows Phone.Windows Phone Third-paty applications can be Windows Mobile provides developed for Windows Phone cryptography services that enable by application developers to add .

data access only its own items in the stream can be encrypted using keychain—the user is never asked any of a variety for permission or for a password. The RIM crypto API provides a WTLS and a TLS API. a high-level C API that makes it easy to create. of SSL or TLS protocol versions. between BlackBerry smartphones and the application server. The RIM crypto API provides a Data can be encrypted over Certificate Management API and a SSL/TLS for the entire connection Key Store API. Because CFNetwork is built on In iPhone OS. and receive serialized HTTP messages. Also has a CFNetwork API. and Trust services API. an application can top of Secure Transport. .Certificate Management iPhone provides the the Keychain Services API and the Certificate. send. SSL/ TLS support Supports TLS/ SSL. which in turn communicate with the internal Security Server. Key.

0 or TLSv1.net.net.ssl package uses the OpenSSL Library to implement the low level SSL functionality.509 certificates. Another alternative is use of Bouncycastle's Lightweight Crypto API. Certificate and Key Management is supported through the SATSA PKI UserCredentialManagement class. OpenSSL is also available on Android as a standard component.security. administer and verify X.ssl package that provides all the classes and interfaces needed to implement and program the Secure Socket abstraction based on the SSL protocol SSSLv3.2. The Android javax. Symbian Platform SSL/ TLS client functionality through both native C++ API provided by the OS and through MIDP. Supports javax.Supports java.cert package that provides all the classes and all the interfaces needed to generate. .

The supported Credential types include Certificates. Windows Mobile device shas inbuilt SSL support for HTTP protocol. Windows Mobile only supports client certificates using its wireless authentication components.Windows mobile provides a Credential Manager that consists of a set of APIs that applications can use to cache and obtain cached credentials. Machine certificates are not supported. So for full duplex connection two SSL sockets are needed. Its NATIVE SSL support is however lacking as one socket can only receive and send at one time. .

VPN Support Authentication Support In iPhone OS. interface. Supports VPN functionality only through a Blackberry Enterprise Server. CFNetwork API do not provide an authentication is used for secure connections. there is no API for The iPhone OS security services Secure Transport. Does not have a bundled VPN client that can connect to third-party VPN servers. Blackberry supports simple password device authentication. It relies on the device's PIN for Authentication. By default. Server-side strong authentication can be built into applications using J2ME and the RIM crypto API. .

.The supported types of VPN are .L2TP/IPsec certificate based VPN . This class provides an authenticate method that can be used to invoke DSC based authentication capability on the underlying device.L2TP only VPN .g. Authentication is supported through the SATSA PKI CMSMessageSignatureService class. a VPN client for openvpn is available but it requires root access to the phone to be started.auth. Password-based authentication can be supported using the standard J2ME Authenticator class.security. a company intranet) over insecure networks such as the Internet.L2TP/IPSEC pre-shared key based VPN .plugin package that provides a pluggable and stackable authentication system based on ideas and concepts from the UnixPAM module. Symbian also supports IPSec. Vpnclient software is used to establish secure connections from a mobile device to protected networks (e.PPTP only VPN Also. Supports javax. Vpnclient is based on open standards and it can be used with various security gateways produced by different vendors.

Microsoft CHAP v1 & 2 . Additionally.Challenge Handshake Authentication Protocol (CHAP) .By default. To achieve network authentication the Windows Mobile Security Support Provider Interface (SSPI) allows applications to access DLLs — called Security Support Providers (SSPs) — that provide common authentication protocols like Kerberos. Windows Mobilebased devices can dial into Remote Access Servers by using one of the following authentication protocols: . Windows Mobile supports virtual private networking (VPN).Password Authentication Protocol (PAP) . using either Layer Two Tunneling Protocol with Internet Protocol Security encryption (LT2P/IPSec) or Point-to-Point Tunneling Protocol (PPTP). NTLM and SSL.

Key and Trust Services API. iPhone has Apple's Fast Elliptic Encryption (FEE) implementation that has a small memory footprint. Authorization The iPhone OS security services do not provide an authorization interface. to provide an audit trail of applications that use sensitive APIs. Each application is put in a sandbox that restricts the application to using only its own files and preferences. Digital Signatures are supported through Core Crypto API or through the CMS API which is PKCS #7 compliant. It relies on the sandboxing to achieve this. and limits the system resources to which the application has access. Research In Motion must digitally sign a BlackBerry Java Application that uses these BlackBerry APIs. BlackBerry applications can write only to the BlackBerry devicecmemory that the BlackBerry® Java® Virtual Machine uses.Digital Signatures Supported by the Certificate. . Supports EC based cryptosystems. they cannot access the virtual memory or the persistent storage of other applications unless they are specifically granted access to do so through the use of special Blackberry APIs.

BouncyCastle has a J2ME provider that can be used on Android. not per object). This will have to be investigated further. Privileges can be granted by user at installation time. This class provides a sign method that can be used to invoke signature capability on the underlying device. In practice the applications can access their own private directories and directories that are marked as open. This provider comes bundled with Android however certain algorithms like EC do not seem to be working. Currently. The signatures are generated in accordance with CMS .Each component can be assigned an access permission label . Digital Signatures are supported through the SATSA PKI CMSMessageSignatureService class. Symbian Platform does not support ECC. Symbian supports Data caging which means that the applications and the users have access only to certain areas of the file system. .PKCS #7. Symbian platform has a UNIXstyle capability model (permissions per process. The Android manifest file allows developers to define an access control policy for access to components . through being Symbian signed or by device manufacturer.Each application requests a list of permission labels which are fixed at install When an application requests permissions to access other applications or OS features. the OS either automatically allows or disallows based on certificates or prompts the user.

Windows Phone has the concept of Normal and Privileged applications. Privileged applications can switch to run kernel mode. Privilege is assigned to processes rather than to modules. Privileged Applications can access all registry keys and all system APIs and can install certificates on the device. .Digital Signatures based upon RSA are supported. Normal applications cannot access protected registry keys and system APIs.

An application that hasn’t been signed by Apple will not execute. BlackBerry smartphone applications using the RIM crypto API require developers to sign and register their applications with Research In Motion (RIM). The developer first signs an application. (The BlackBerry device allows the downloading of all third-party Java applications by default. .Application Deployment Digital signatures are required on all applications for iPhone OS. It is then signed by Apple.

apk files) must be signed with a certificate whose private key is held by their developer. These are applied through the Symbian Signed program. Digital signatures by Symbian are required on all trusted applications for Symbian OS.All Android applications (. . This certificate identifies the author of the application and may even be self-signed. An application that hasn’t been signed by Symbian will be an untrusted application.

Privileged applications can be created by getting them signed by Verisign a Microsoft Partner. The typical configurations are locked. and securityoff. Windows Phone has the concept of Normal. . Privileged applications are those that are signed using a Certificate available in the Privileged Execution Trust Authorities Store.Windows Mobile devices are available in several security configurations. prompt. thirdparty signed. Privileged and Blocked applications.

S.No 1 Category Software Modification Threats 2 Data Threats Threats due to Malware 3 4 DoS Attacks .

5 Messaging based Attacks 6 Threats due to OS Vulnerabilities 7 .

.

Trojans Spyware Rootkits Jailbreaking .Threat Attack via faulty or illegal privileged code extensions Description Moderate Data extraction from Lost/ stolen devices Viruses. Worms.

g. by recording and distributing pay-perview films phones are a highly lucrative item and phone theft is a massive problem.social engineering attacks Data Theft Taking someone’s pictures. phonebook or file data without the permission of the owner Copyright Abuse Violating paid for content – e. Reenabling stolen phones is a key driver for hacking phones stealing someone else’s minutes or data or getting free service from the network Device Theft Theft of Service . messages.

listening into someone’s calls or getting access to messages / data during transit some attacks are deliberately designed to create a staging post for other forms of attack. Getting financial gain by deceptive means Disruptive / Anarchistic Attacks Interception Facilitators Fraud . distress and disturbance to the user. network or corporation such as a virus (could include Denial of Service).Denial of Service preventing normal operating of a phone or preventing the access to or operation of a network attacks in which the intention is to cause upset.

WiFi. USB . User Installation. Self Installation. Email.Method of Propagation WWW Resolution MMS. Bluetooth. Memory Card. SMS.

A distrusting partner or spouse can secretly download the free application. called PhoneSnoop. and listen to conversations held in proximity to the device. . remotely turn on the microphone. onto your BlackBerry.

.

Major Players .