| 1. |
- Kounelis, Ioannis
(author)
-
Secure and Trusted Mobile Commerce System based on Virtual Currencies
- 2015
-
Doctoral thesis (other academic/artistic)abstract
- With the widespread usage of mobile devices and their applications, many areas of innovation have created a multitude of opportunities for mobile technologies to be deployed with very interesting effects. One such new area that emerged in the last few years is mobile commerce. It represents a system where various entities create real–life or digital assets, distribute information about them to interested consumers, execute transactions, accept various types of compensation methods, and finally deliver these assets; all of it in a secure and trusted manner, respecting users’ privacy.Since mobile devices are increasingly used for m-commerce, it is important to ensure that users’ data on such devices are kept secure. Mobile devices contain many of our personal and private data and information, since we nowadays use them for all kind of activities, both personal and professional. However, such data and information are not always treated in a secure and privacy friendly way.The goal of this thesis is to identify and provide solutions to security related problems found on mobile devices, such as communications, storage and mobile application design, and with the use of cryptocurrencies to combine the findings in the design of a secure mobile commerce system.As a result, this thesis describes a design and architecture of a secure e-commerce system, called eAgora, primarily exploiting mobile technology. The system is innovative as it treats digital goods, classified and called mobile commerce objects. Based on the attributes and anticipated use of such specific m–commerce objects, different security and privacy measures for each of them are needed and enforced. The goal was to design a system that deals with mobile commerce in a secure and privacy friendly way in all the lifecycle of the transactions.As users are mostly using mobile devices to connect to the proposed services, research first focused on mobile device security and privacy issues, such as insecure storage on the mobile device, insecure handling of user credentials and personal information, and insecure communications. Issues not only coming from the device itself but also from the nature of it; being mobile it is used in a different way that the classical desktop computers. Mobile devices are used in public, in an environment that cannot be controlled, and are interfacing a variety of networks that are not under the mobile device user’s control. Potential attackers’ interest was analysed in different mobile commerce scenarios in order to understand the needs for security enhancements.After having analyzed the possible threats, a methodology for mobile application development that would allow many common development errors to be avoided and security and privacy mechanisms to be considered by design was specified. Moreover, in order to provide secure storage and guard against active and passive intruder attacks, a secure Mobile Crypto Services Provider facility that allows storage of data on the UICC cards was designed and implemented.In order to secure communications, a secure e-mail application was designed and implemented. The application provides a user-friendly way to encrypt and sign e-mails, using the users’ already working e-mail accounts. The security functionality is completely transparent to users and ensures confidentiality and integrity of e-mail exchange.For the mobile commerce system, an architecture that enables exchange of m-commerce objects between different merchants, customers and retailers is proposed. Inthe architecture, policy enforcement and the feature to detect suspicious events that may be illegal and to cooperate with law enforcement was embedded.The newly defined technology of virtual currencies is used as a payment facilitator within the proposed architecture. Many of its innovative features are adopted but some are also extended, such as the secure use of the user wallet files, i.e. the files that link the user with the virtual currencies and enable payment transactions between customers and merchants. Although there is no distinction between different virtual currencies, Bitcoin is used as an example of a market valued trading currency to validate and evaluate the proposed secure e-commerce architecture and the findings have been applied on it.The thesis provides detailed use cases that demonstrate how the proposed architecture of eAgora functions in different complicated e-trading circumstances and how different security related mechanisms are used. The thesis concludes with the analysis of the research results and with proposed directions for future research and development works.
|
|
| 2. |
- Mumtaz, Majid, et al.
(author)
-
Strong authentication protocol based on Java crypto chip as a secure element
- 2016
-
In: Advances in Science, Technology and Engineering Systems. - : ASTES Journal. - 2415-6698. ; 1:5, s. 21-26
-
Journal article (peer-reviewed)abstract
- Smart electronic devices and gadgets and their applications are becoming more and more popular. Most of those devices and their applications handle personal, financial, medical and other sensitive data that require security and privacy protection. In this paper we describe one aspect of such protection – user authentication protocol based on the use of X.509 certificates. The system uses Public Key Infrastructure (PKI), challenge/response protocol, mobile proxy servers, and Java cards with crypto capabilities used as a Secure Element. Innovative design of the protocol, its implementation, and evaluation results are described. In addition to end-user authentication, the described solution also supports the use of X.509 certificates for additional security services – confidentiality, integrity, and non-repudiation of transactions and data in an open network environment. The system uses Application Programming Interfaces (APIs) to access Java cards functions and credentials that can be used as add-ons to enhance any mobile application with security features and services.
|
|
| 3. |
- Shibli, Muhammad Awais, et al.
(author)
-
MagicNET : mobile agents data protection system
- 2015
-
In: European transactions on telecommunications. - : Wiley. - 1124-318X .- 2161-3915. ; 26:5, s. 813-835
-
Journal article (peer-reviewed)abstract
- Literature study and analysis on mobile agents reveal many challenging and uncovered aspects that still do not have comprehensive solutions. Despite the fact that significant research has been carried out on mobile agents, it is still not widely adopted by industry and research community because of the immaturity of various technical aspects of agent paradigm. One of the main reasons that limits the scope of the potential applications of mobile agents is the lack of reliable security solutions for mobile agents' code and their baggage. The protection of mobile agents' codes has been solved by the research community to some extent; however, there is not even a single solution that provides complete protection and access control mechanism for agents' code and their baggage (data being accumulated/ carried by agent during execution). Most of the existing solutions such as execution tracing, code obfuscation, encrypted code execution and partial result encapsulation mainly cover security threats of mobile agents' code. In this paper, we present a security solution to overcome the security threats on traditional mobile agents computing paradigm. Our proposed solution is one step ahead of extant solutions in that it provides complete protection and enforces access control on agents' complex baggage structure. We have extended our previous work that was limited to the protection of agents and the agent platforms only. Our approach provides holistic access control mechanism between users and agents, agents and agent platform resources and platform and agents baggage. By adopting the proposed solution in the mobile agent-oriented software engineering, secure and complex mobile agent-based applications can be developed, which will greatly benefit the software industry.
|
|
| 4. |
- Stirparo, Pasquale
(author)
-
MobiLeak : Security and Privacy of Personal Data in Mobile Applications
- 2015
-
Doctoral thesis (other academic/artistic)abstract
- Smartphones and mobile applications have become an essential part of our daily lives. People always carry their smartphones with them and rely on mobile applications for most of their tasks: from checking emails for personal or business purposes, to engaging in social interactions via social networks, from trading online or checking their bank accounts to communicating with families and friends through instant messaging applications. It is therefore clear to anyone that these devices and these applications handle, store and process a huge amount of people’s personal data, and therefore confidential and sensitive. Whether the person is famous or not, whether he/she is an important public personality or not, whether he or she manages and possess a big amount of money or not, the protection of his/her personal data should be of great importance, since threats can target anyone, with consequences ranging from defamation of person to economic losses due to a compromised bank account, to identity theft, location tracking, and many more. In this scenario it becomes very important that mobile applications are a) secure from a program code point of view, written following secure coding and Secure Software Development Life Cycle (S- SDLC) guidelines and best practices, and b) capable of handling, storing and processing user data in a proper and stringently secure manner to maintain user’s privacy.Secure Coding and S-SDLC concepts are well known and have been inherited from the classical software engineering development domain, although not too much widespread and applied in the mobile world. However, even the most secure application, from a code point of view, can pose threat to the security and privacy of users if the data are not handled properly. An application very well written from a code point of view (i.e. without presence of evident bug which may lead to its exploitability) may, for example, store user credentials or other personal data in plaintext inside the device. In case that a device is lost, stolen or compromised via other channels (i.e. other vulnerable applications or through the mobile OS itself), those data are completely exposed. A simple, standard vulnerability or penetration test against the application may not reveal such vulnerability.Thus, this thesis addressed and solved the problems related to the following three research questions for mobile environment and applications:What are data and where can such data exist?How is personal data handled?How can one properly assess the security and privacy of mobile applications?The research work started with studying and identifying every possible state at which data can exist, which is a fundamental prerequisite in order to be able to properly treat them. The lack of understanding of this aspect is where most of the existing approaches failed by focusing mainly on finding bugs in the code instead of looking at sources and transfers of data too. After this step, we analysed how real life mobile applications and operating systems handle users’ personal data for each of the states previously identified. Based on the results of these two steps, we developed a novel methodology for analysis of security and privacy level of mobile applications, which focuses more on user data instead of application code and its architecture. The methodology, which we named MobiLeak, also combined concepts and principles from the digital forensics discipline.Some of the solutions presented in this dissertation may sound a bit more obvious compared to when they have been developed within the MobiLeak Methodology. However, this research work started in January 2011 and back in 2010, when the research proposal that led to this Ph.D. was presented, the mobile application security landscape was quite different, at a very early rudimentary stage. At that time iPhone 4 and iOS4 had just been released; now we have reached iPhone 6 and iOS8. In December 2010 the first Near Field Communication (NFC) enabled smartphone was released, the Samsung Google Nexus S. Until that moment the only mobile phone (not smartphone) with NFC capabilities was a particular version of the Nokia 6131 released in 2006. Incredibly enough, at that time there were not yet publicly known Android malware. In fact, the first Android Trojans, FakePlayer and DroidSMS, were discovered in August 2010 and now, according to a recent report released by the security firm Kaspersky1 in February 2015, the number of financial malware attacks against Android counts up to 2,317,194 in 2014.Part of the significant contribution from the research work reported in this dissertation, was in the initial development of the Mobile Security Testing Guidelines developed by Open Web Application Security Project (OWASP) for the Mobile Security Project, pushing the need of mobile digital forensics methodology to be a mandatory part of a mobile application security assessment methodology. It also contributed to the works of the European Telecommunications Standards Institute (ETSI) and the International Organization for Standardization (ISO/IEC SC 27) committees related to digital forensics and, last but not least, it resulted in eleven peer-reviewed publications, one book chapter and one book co-authored.
|
|
