Secure VoIP Mobile Secure Communication Solutions for Enterprises April 2015 Marco Pozzato - CTO [email protected] Emanuele Gambaro – Android Engineer [email protected]
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Secure VoIP
Mobile Secure Communication Solutions for Enterprises April 2015
Marco Pozzato - CTO
Emanuele Gambaro – Android Engineer
Agenda
● Introduction● Network challenges● SW Engineering challenges● MultiPlatform challenges● Security challenges
Introduction
Privacy & Business threats● Industrial espionage● Mass surveillance
Secure Voice & Text Communications
Mobile Communications
● GSM is insecure
● Data Over Voice codec
● CSD is phased out
● → SVOIP
Network challenges
Mobile Communications
Mobile data networks are evil● Packet loss● Burst based● Highly congested● TCP exponential backoff● VoIP block (censorship or contractual)
Network transparency myth!
Network challenges
Mobile Platforms for VIP
VIP smartphones in enterprises● Blackberry OS 5/6/7: push email● Iphone: cool device● Android: power users and geeks● Blackberry 10: strong security & EMM
Tech Guys are scaling organizations hierarchy
Multiplatform challenges
Porting from Blackberry 5
Blackberry VS Android● Differences between platforms
● Our first try● Our final solution
Multiplatform challenges
Porting to BlackBerry 10
Blackberry 10 and Android runtime
● Easy to port application from android to Blackberry 10.3
● ...but a lot of missing important features
● Our solution: a native app
Multiplatform challenges
Zorg
Zorg – a cross-platform ZRTP library
● What are ZRTP and ZORG?
● Diffie-Hellman is slow in sw
● Embed standard BC with ECDH → package name clash
Software engineering challenges
Multi-product codebase
One codebase, different products
● Manage UI resources
● Manage different languages and product name
● Manage different products from the same source code
Software engineering challenges
Data In Transit
How to protect communications between device and server
● Using secure connections and PKI
● Use only right ciphers"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
● Trust only one Certificate Authority
Security challenges
Data At Rest / 1
How to protect key and password on device
● Android keystore support
● Keystore bughttps://code.google.com/p/android/issues/detail?id=61989
● API changes from 4.x to Lollipop
Security challenges
Data At Rest / 2
How to protect user data on device● Protect sqlite databases using sqlcipher for Android
● Secure logging
Security challenges
Randomness and entropy
Java SecureRandom bug
Our test on Samsung S3 with android 4.3
***** BUG FEED DATABASE *****
Run # 3987
Duplicates #15
Pid | seed
6945|96c8cf6b3c3f0786|2
6958|ade560b0c3d272f6|2
[...]
9378|0b9b08fe52b6003d|2
Our solution: using device microphone
Security challenges
Generate key from password
Use PBKDF2 as key derivation function
● Generate strong encryption password from PIN or password
● Iteration tuning
● Android charset bug
Security challenges
Vulnerability assessment
● Made by third party company
● Different methodologies
● Some examples
Security challenges
Static analysis
Static analysis on android application
● Goal of a static analysis
● What can be found with static analysis?
● Common false positive
Security challenges
Links● support.privatewave.com● www.zrtp.org
Related Documents
