secure voip - droidcon 2015

19
Secure VoIP Mobile Secure Communication Solutions for Enterprises April 2015 Marco Pozzato - CTO [email protected] Emanuele Gambaro – Android Engineer [email protected]

Upload: marco-pozzato

Post on 19-Jul-2015

107 views

Category:

Technology


4 download

TRANSCRIPT

Secure VoIP

Mobile Secure Communication Solutions for Enterprises April 2015

Marco Pozzato - CTO

[email protected]

Emanuele Gambaro – Android Engineer

[email protected]

Agenda

● Introduction● Network challenges● SW Engineering challenges● MultiPlatform challenges● Security challenges

Introduction

Privacy & Business threats● Industrial espionage● Mass surveillance

Secure Voice & Text Communications

Mobile Communications

● GSM is insecure

● Data Over Voice codec

● CSD is phased out

● → SVOIP

Network challenges

Mobile Communications

Mobile data networks are evil● Packet loss● Burst based● Highly congested● TCP exponential backoff● VoIP block (censorship or contractual)

Network transparency myth!

Network challenges

Mobile Platforms for VIP

VIP smartphones in enterprises● Blackberry OS 5/6/7: push email● Iphone: cool device● Android: power users and geeks● Blackberry 10: strong security & EMM

Tech Guys are scaling organizations hierarchy

Multiplatform challenges

Porting from Blackberry 5

Blackberry VS Android● Differences between platforms

● Our first try● Our final solution

Multiplatform challenges

Porting to BlackBerry 10

Blackberry 10 and Android runtime

● Easy to port application from android to Blackberry 10.3

● ...but a lot of missing important features

● Our solution: a native app

Multiplatform challenges

Zorg

Zorg – a cross-platform ZRTP library

● What are ZRTP and ZORG?

● Diffie-Hellman is slow in sw

● Embed standard BC with ECDH → package name clash

Software engineering challenges

Multi-product codebase

One codebase, different products

● Manage UI resources

● Manage different languages and product name

● Manage different products from the same source code

Software engineering challenges

Data In Transit

How to protect communications between device and server

● Using secure connections and PKI

● Use only right ciphers"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"

● Trust only one Certificate Authority

Security challenges

Data At Rest / 1

How to protect key and password on device

● Android keystore support

● Keystore bughttps://code.google.com/p/android/issues/detail?id=61989

● API changes from 4.x to Lollipop

Security challenges

Data At Rest / 2

How to protect user data on device● Protect sqlite databases using sqlcipher for Android

● Secure logging

Security challenges

Randomness and entropy

Java SecureRandom bug

Our test on Samsung S3 with android 4.3

***** BUG FEED DATABASE *****

Run # 3987

Duplicates #15

Pid | seed

6945|96c8cf6b3c3f0786|2

6958|ade560b0c3d272f6|2

[...]

9378|0b9b08fe52b6003d|2

Our solution: using device microphone

Security challenges

Generate key from password

Use PBKDF2 as key derivation function

● Generate strong encryption password from PIN or password

● Iteration tuning

● Android charset bug

Security challenges

Vulnerability assessment

● Made by third party company

● Different methodologies

● Some examples

Security challenges

Static analysis

Static analysis on android application

● Goal of a static analysis

● What can be found with static analysis?

● Common false positive

Security challenges

Links● support.privatewave.com● www.zrtp.org