Trustworthy Web Authentication on Mobile Platforms (in collaboration with Nokia)
The popularity of mobile phones and the vast number of the corresponding applications makes these platforms attractive targets to attackers. Current commodity mobile phone operating systems and software cannot offer reliable protection of user credentials (i.e., passwords) intended for user authentication. Attackers have a wide spectrum of attacks targeting user credentials. Malicious software (malware) such as Trojan horses can retrieve the passwords from the mobile phone and send it to the attacker. Social engineering attacks such as phishing trick the user to reveal credentials, e.g., by means of requesting the user to fill in credentials into fake web authentication form. Beside this, mobile devices are easy target for physical attacks as they are often lost or stolen.
Currently, the only solutions available for mobile phones to secure user credentials are password managers, which are essentially simple password databases. They encrypt all passwords with a master password but do not offer sophisticated protection against malware or classical phishing attacks.
Within the project “Trustworthy web-authentication on mobile platforms” (TruWalletM) we are working on the design and implementation of a wallet-like password manager and authentication agent protecting user credentials from malware, phishing and physical attacks on mobile platforms. Basically, TruWalletM design relies on the isolation of the code operating on user credentials from the rest of the system. To achieve isolation, we leverage various approaches, such as virtualization provided by a security kernel, or commodity secure hardware (such as M-Shield and ARM TrustZone).
TruWalletM is fully compatible with standard browsers and standard OSes, as well as with standard web authentication methods, i.e., password-based authentication and SSL/TLS.
TruWalletM screenshots on Nokia N900:
A Security Architecture for Accessing Health Records on Mobile Phones. Alexandra Dmitrienko, Zecir Hadzic, Hans Löhr, Ahmad-Reza Sadeghi, Marcel Winandy, 4th International Conference on Health Informatics (HEALTHINF 2011).
TruWalletM: Secure Web Authentication on Mobile Platforms. Sven Bugiel, Alexandra Dmitrienko, Kari Kostiainen, Ahmad-Reza Sadeghi, Marcel Winandy, INTRUST 2010 The Second International Conference on Trusted Systems.
Securing the Access to Electronic Health Records on Mobile Phones. Alexandra Dmitrienko, Zecir Hadzic, Hans Lhr, Ahmad-Reza Sadeghi, Marcel Winandy. In: Springer-Verlag: Biomedical Engineering Systems and Technologies, 2011.
Contact: Sven Bugiel, Alexandra Dmitrienko