Mobile Security

Security analysis of MitID and other mobile apps

Publications
Aarhus University 2018-present
Project Supervisor

The effort started with a security analysis of major Brazilian banking applications in the Android platform. It considered the SSL/TLS configuration (supported standards, algorithms, and other settings) at the server-side and public key certificate validation performed on the client-side. We discovered that six out of the seven major Brazilian banks did not appropriately protect against man-in-the-middle attacks, making it possible for an attacker in control of the communication infrastructure to collect authentication credentials and sensitive financial information.

Vulnerabilities were disclosed to the interested parties in May 2015, following standard industry practice, and the findings received coverage in Brazilian news. After that, the effort continued beyond the initial disclosure by monitoring security issues in these apps every six months, concluding that security posture oscillates quite a bit as mobile apps receive interface overhauls and new features frequently. These results produced a technical report, which was novel in conducting such an extensive security analysis over a significant amount of time (4 years).

In the last few years, the project has been expanded and adapted the initial prototype for my courses in Network and Systems Security. The result is a final assignment using industry-standard tools for students to conduct security analysis that considers aspects of software security, network communication, authentication mechanisms, and privacy. Around 50 Android applications (mainly from Denmark) have been analyzed using this methodology, which surfaced numerous vulnerabilities in the insecure deployment of cryptography and API design, weak authentication workflows, and session management. In several cases, the vulnerabilities were critical enough to warrant extremely careful disclosure to the interested parties using secure means.

A remarkably successful example that illustrates the effort was the detection of vulnerabilities related to inadequate information disclosure, social engineering threats, and Denial of Service attacks during the deployment of the new MitID system.

Active

Publications

User-centric security analysis of MitID: The Danish passwordless digital identity solution

Computers & Security (COSE) 2023
DOI PDF BibTeX Project MobiSec

Security analysis of the passwordless MitID digital identity system

Poster session at 27th Nordic Conference on Secure IT Systems (NordSec 2022) 2022
PDF BibTeX Slides Project MobiSec

Security Analysis of Brazilian Mobile Banking Apps on Android

Technical Report 2018
PDF BibTeX Project MobiSec

Análise de segurança em aplicativos bancários na plataforma Android

Workshop de Trabalhos de Iniciação Científica e de Graduação (WTICG), XV Simpósio Brasileiro de Segurança da Informação e Sistemas Computacionais (SBSeg) 2015
PDF BibTeX Best student paper award Best Undergrad Research Project MobiSec

Talks

Pitfalls in securing (Danish) mobile apps

Slides Video Project MobiSec