Widget security model based on MIDP and Web Application based on a security model with TLS/SSL and XMLDsig

Similar documents
Policy-based WRT Security Access to device APIs

Citrix Receiver for Windows (Store)

Browser Guide for PeopleSoft

Configuring Internet Explorer for CareLogic

Browser Configuration Reference

Eko Windows Application User Guide

<Insert Picture Here> The Latest E-Business Suite R12.x OA Framework Rich User Interface Enhancements

Task On Gingerbread On Ice Cream Sandwich Notification bar on lock screen Notification bar is not accessible on the lock screen.

Citrix XenApp / XenDesktop Setup Procedure For Q-Tel Workstation

IT Access Portal User Guide (Employees)

Paloalto Networks Exam PCNSE6 Palo Alto Networks Certified Network Security Engineer 6.0 Version: 6.1 [ Total Questions: 153 ]

Cambium Wireless Manager

Read the following information carefully, before you begin an upgrade.

Policy Settings for Windows Server 2003 (including SP1) and Windows XP (including SP2)

Citrix Receiver for Universal Windows Platform

Lenovo A5500. User Guide V1.0. Please read the safety precautions and important notes in the supplied manual before use.

Configure Internet Explorer Version 9 Settings for CGM webpractice

ControlPoint. Advanced Installation Guide. September 07,

Configure Internet Explorer Version 10 Settings for CGM webpractice

BLUEPRINT TEAM REPOSITORY. For Requirements Center & Requirements Center Test Definition

ORACLE UNIVERSITY AUTHORISED EDUCATION PARTNER (WDP)

Chrome Extension Security Architecture

Software Installation Manual

EMS MASTER CALENDAR Installation Guide

Content Publisher User Guide

IdeaTab A1000L-F. User Guide V1.0. Please read the Important safety and handling information in the supplied manuals before use.

Configure Internet Explorer. Version 9 Settings for. CGM webpractice

CYAN SECURE WEB Installing on Windows

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

External HTTPS Trigger AXIS Camera Station 5.06 and above

Axon View for Android Devices User Manual

Sync User Guide. Powered by Axient Anchor

Android System Architecture. Android Application Fundamentals. Applications in Android. Apps in the Android OS. Program Model 8/31/2015

Module Browser-based Deployment

Launcher Help. Building Technologies & Solutions LIT Issued October 2018 Software Release 1.7

Chapter 10 Web-based Information Systems

Metasys Launcher. Help. Johnson Controls LIT October 2018 Release 1.7

Produced by. Mobile Application Development. Eamonn de Leastar

GRS Enterprise Synchronization Tool

18.1 Access to Google Talk Web Browser Enter the main interface Change your home page Visit a Web page...

Produced by. Mobile Application Development. David Drohan Department of Computing & Mathematics Waterford Institute of Technology

NEO 4.5. User Manual

NetDespatch Velocity Connector User Guide

ControlPoint. Installation Guide for SharePoint August 23,

IdeaTab S6000. User Guide V1.0. Please read the safety precautions and important notes in the supplied manual before use.

Bomgar Remote Support Representative Guide 16.1

Virto SharePoint Forms Designer for Office 365. Installation and User Guide

Microsoft Office 365 Integration. Administrator Guide

Configure Internet Explorer. Version 9 Settings for. CGM webpractice

Jet Data Manager 2014 Product Enhancements

Configuring Proxy Settings. STEP 1: (Gathering Proxy Information) Windows

Privileged Identity App Launcher and Session Recording

Launcher Help Code No. LIT Software Release 1.6 Issued March 2017

ValuePRO Tutorial Internet Explorer 8 Configuration

Using SourceTree on the Development Server

Excel4apps Wands 5 Architecture Excel4apps Inc.

VMware AirWatch Chrome OS Platform Guide Managing Chrome OS Devices with AirWatch

Remote Deposit Capture (CC21) Software Installation Guide for Firefox or Internet Explorer

Valerus Internet Access Guide

Battery Power Saving Tips

FIREFLY ARCHITECTURE: CO-BROWSING AT SCALE FOR THE ENTERPRISE

VAM. ADFS 2FA Value-Added Module (VAM) Deployment Guide

1 New TCCH Outlook Web App

BCPro Installation Instructions Code No. LIT Software Release 3.0 Issued September 2017

Taking SAP Contact Center End-User Applications into Use

VMware AirWatch Chrome OS Platform Guide Managing Chrome OS Devices with AirWatch

Series 40 6th Edition SDK, Feature Pack 1 Installation Guide

Save As PDF. User Guide

Transport Gateway Installation / Registration / Configuration

Agent Console. The Agent Console. The topics in this section provide information about the Agent Console.

Aventail ST2 SSL VPN New Features Guide

Microsoft SharePoint Server

Lenovo TAB A User Guide V1.0. Please read the safety precautions and important notes in the supplied manual before use.

WAM!NET Submission Icons. Help Guide. March 2015

Dash Jr. User Manual

Dell Wyse Management Suite. Version 1.1 Migration Guide

Quick Start Guide U.S. Cellular Customer Service

Mate2. Quick Start Guide

Configure Internet Explorer Version 11 Settings for CGM webpractice

Oracle. Field Service Cloud Using Android and ios Mobile Applications 18B

Feature Introduction. Internet Player NSZ-GS8

A. Outlook Web App -

Simplicity Itself. User Guide

Firefox OS App Days. Overview and High Level Architecture. Author: José M. Cantera Last update: March 2013 TELEFÓNICA I+D

About Retrieve 3. Installing DocuSign Retrieve 4. Logging on to DocuSign 6

Copyright

Anchor User Guide. Presented by: Last Revised: August 07, 2017

Introduction to Cisco UCS Central

Note: Google Talk may not be available in all countries and regions. Note: You need to activate a Google account before you can use Google Talk.

VII. Corente Services SSL Client

Using SANDBOXIE to Safely Browse the Internet (verified with ver 5.22) Jim McKnight Sandboxie.lwp revised

Browsing Basic Operations Bookmarks & Saved Pages Using Bookmarks & Saved Pages...5-7

Cloud Help for Community Managers...3. Release Notes System Requirements Administering Jive for Office... 6

device management The following policies can be applied to Knox container of Samsung devices. [Android OS, Samsung Only(Knox2+)]

VMware AirWatch Product Provisioning and Staging for Windows Rugged Guide Using Product Provisioning for managing Windows Rugged devices.

Minne menet, Mobiili-Java?

Visual Nexus Version 4.0

Version Release Date: September 5, Release Client Version: Release Overview 7 Resolved Issues 8 Known Issues 8

TeamViewer 12 Manual Management Console. Rev

Release Notes. DataFlow Player. Version /04/2018. t: +44 (0) e: w:

Transcription:

Widget security model based on MIDP and Web Application based on a security model with TLS/SSL and XMLDsig Claes Nilsson Technology Area Group Leader Web Browsing Marcus Liwell Technology Area Group Leader Security and DRM Rev 1

Differences of the security approaches in PCs and mobile devices Established as open environment users are used to install and uninstall program User aware of and accepts security problems firewalls and virus protection generally used Currently user s awareness of security issues are low Mobile devices are considered as secure Mobiles are getting more and more based on open environments user s awareness of security issues will increase GOALS - Create a mobile security framework that is both reliable and user friendly - Preserve the user s view that mobile devices are trusted and secure

Difference in security approaches between Web Applications and Widgets Web App Find new services by Web Execution Environment Security framework Platform API s No installation process several URLs and is often dynamically generated the device Invoked by the browser by Content resides behind gallery Downloaded and installed on browsing around a URL, bookmark or shortcut Find newwidget services in widget Started from standby screen Network Calendar Location Camera or shortcuts Executable content, i.e. scripts, contained within a single package

Widgets

Proposed security solution for Widgets Base on MIDP security principles and improve Digital signing to authenticate the Widget creator and verify the integrity of the Widget. Is independent of the delivery solution, i.e. the server the Widget is fetched from Protection domain concept to create a default policy to ease the IOT burden on application developers To be added: Mechanism to dynamically define API permission policies for the different domains Focus on usability Avoid pop-ups when the Widget is under execution. MIDP implementations often launch pop-ups during execution that are difficult to relate to the current user context. Use requested API permissions in the Widget manifest to execute user dialogues asking for permissions at installation time User may have the possibility to impact when user dialogues asking for permissions are executed

Untrusted and trusted domains Untrusted Widgets Origin and integrity of the Widget can NOT be trusted by the device Must execute in the untrusted domain using a restricted environment: Access to un-sensitive APIs, e.g. UI, Playback of sound, vibration etc Access to some protected APIs with explicit user confirmation, e.g. http and https Trusted Widgets Digitally signed and verified Security model based on protection domains Each protection domain defines a set of permissions to authorize access to protected APIs or function groups

Permission policies for protection domains Manufacturer Allowed permissions: (no user interaction) 1 Allowed 2 permissions: (no user interaction) Operator Third Party 1 User Allowed permissions: APIpermissions: FG 2 (requires user interaction) (no user interaction) 1 User APIpermissions: FG 2 Blanket:: (requires user interaction) ( ask at installation ) Session: ( ask on the first invocation ) 5 User permissions: 10 Blanket:: Session: 6 11 (requires user interaction) ( ask at installation ) ( ask on the 5 Blanket: 6 Oneshot: ( ask at installation ) ( ask always ) 15 5 Oneshot: 16 6 ( ask always ) 15 Oneshot: 16 ( ask always ) 15 16 first invocation ) 10 Session: 11 ( ask on the first invocation ) 10 11 API permission policies for the different protection domains, e.g.3rd party, operator, manufacturer, are dynamically loaded into the device.

Requesting permissions at Widget installation Widget manifest Requested Permissions: <Location API> Location </Location API> <Camera API> Camera Advance Camera Light </Camera API> <Calendar API> Calendar </Calendar API> At installation validate against the permission policies for the Widget s protection domain Hierarchy of APIs to same functionali use best available in device User may be allowed to configure use dialogues. For example, impact if location API is always available or if the user should confirm every time If API is not allowed for the Widget s protection domain, it shall be up to the Widget to decide if it still shall be installed or not.

Web Applications

Proposed security solution for Web App Navigation Web Application Service Transport layer security (TLS/SSL) Verify origin and integrity of Web Application Transport layer security (TLS/SSL) Authenticates the server from which the page was loaded and achieves integrity protection during the transport from server to client XMLDsig of page or parts of the page Authenticate the content creator if needed (some sensitive APIs) Transport layer security (TLS/SSL) XML Digital signing of page or parts of the page Manufacturer Web Application Service Focus on usability Avoid irritating pop-ups Consider asking for user permissions when the page is loaded

Permission policies for protection domains Similar protection domain concept as for Widget also for Web Applications Possible security levels: No secure transport and signing: Only harmless APIs can be accessed (battery level, beep, vibration etc) Secure transport: Medium sensitive APIs can be accessed (Positioning, Camera, Call Handling etc) Secure transport and signing: Highly sensitive APIs can be accessed (SIM, DRM etc) Transport layer security (TLS/SSL) Authenticates the server to identify which API access policy shall be used Transport layer security and XML Digital signing Combination of transport layer security and digital signing gives the highest security level and ensures end to end security. Cross server applications will not cause illegal use of sensitive APIs by a Web application hosted on a non trusted server when it is accessed through a trusted server.

Thank you

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback