This week Masabi, the UK-based secure mobile apps company, has announced that BT has validated the cryptographic algorithms used in EncryptME. This is the world’s first mobile Java security application and can provide Web commerce level security for the vast majority of existing mobile handsets.
The 3K code footprint allows fully secure transactions from any Java-enabled phone. The first to use the EncryptME app will be train ticketing technology specialists YourRail, and this will enable tickets to be purchased securely and then used from almost all mobile phones. Payment can be made by credit and debit cards, and the handset is all you need to then get aboard!
“The main reason internet commerce has not been extended into the mobile world has been that most handsets cannot support the security available on PCs which is necessary to safely authenticate users and perform transactions. EncryptME symbolises the turning of the tide,” said Ben Whitaker, Co-Founder and head of Security Development at Masabi. “For the first time EncryptME brings internet security to mobile phones thereby enabling the likes of Amazon, eBay and any other internet retailer to extend their offerings to users on the move”
What makes EncryptME very interesting is that it can work with both new as well as older phones to establish encrypted connections over a wireless network. It works with GPRS, 3G and SMS, as well as short-range wireless technology platforms including Wi-Fi and NFC. The software has been designed to meet public standards in order to ensure that all server-side cryptography can be handled by existing security systems, such as Sun or Microsoft.
Comments
Certification from BT/NIST has very little to do with “Web commerce level security.” Almost no browser or web servers currently doing “web commerce” are running in certified configurations at all (in Firefox, you would need to be using the FIPS security device, and even that hasn’t finished certification yet).
Almost every Java-enabled mobile phone has built-in support for HTTPS for Java ME apps already, even ones that are years old. That means that this library is only really useful for applications that cannot use HTTPS but still require encryption.
Furthermore, this might be the first certified Java ME library, but similar libraries have been around forever. Bouncy Castle’s ME edition comes to mind. It is not certified but it is well-tested over several years by many, many people.
Finally, it is not clear to me how this library can possibly provide a decent random number generator. Where is it getting entropy to seed the generator? I suppose it is possible but I am skeptical.
Hi Brian,
good points, and they deserve answers:
1: serious browsers, operating systems and servers go through certification at some point, maybe not in their earliest release, but the certification process is deemed to be important enough for many to engage and take part. Governments mandate it for their most important systems.
Without standards bodies and 3rd party validation how should users know half decent security from Snake Oil?
2: Yes, the latest phones do have HTTPS, but with issues.
a) Most use RC4, which according to CERT Advisory 565052 shouldn’t be used.
b) It’s slow, requiring multiple connections to start a session. (between 6 and 20 times slower than EncryptME)
c) It can’t encrypt SMS messages.
d) In many cases root certificate problems prevent J2ME apps from using it.
I will be putting up a more complete blog post on the subject shortly on blog.masabi.com.
3: Bouncy Castle is a wonderful thing, but too big to bolt onto an application that wasn’t built around it, and wants to do significantly more than just encrypt. (about 1/3 of all the space in an application would be taken up by BC) Most of a mobile application developer’s hair is lost trying to make apps small enough.
4: Decent Random Numbers: a very good point Brian, and one that many mainstream “secure” mobile java applications fall down on, risking side-port attacks. If you download any of our applications you will find that just like the top PC security applications we always get the user to press a load of keys (or play a game) until we’ve captured enough real entropy to seed our approved Pseudo-Random Number Generator. Again, there will be a future blog.masabi.com post on this.
Thanks for asking such good questions Brian, it’s needed in the security world to make sure people know what they are getting, and discuss the important topics!
If you want to discuss it further you can get me on +44 207 981 9781 or ben (at) masabi.com.
Ben.
Hi Brian,
good points, and they deserve answers:
1: serious browsers, operating systems and servers go through certification at some point, maybe not in their earliest release, but the certification process is deemed to be important enough for many to engage and take part. Governments mandate it for their most important systems.
Without standards bodies and 3rd party validation how should users know half decent security from Snake Oil?
2: Yes, the latest phones do have HTTPS, but with issues.
a) Most use RC4, which according to CERT Advisory 565052 shouldn’t be used.
b) It’s slow, requiring multiple connections to start a session. (between 6 and 20 times slower than EncryptME)
c) It can’t encrypt SMS messages.
d) In many cases root certificate problems prevent J2ME apps from using it.
I have posted more detail with references on blog.masabi.com if you are interested.
3: Bouncy Castle is a wonderful thing, but too big to bolt onto an application that wasn’t built around it, and wants to do significantly more than just encrypt. (about 1/3 of all the space in an application would be taken up by BC) Most of a mobile application developer’s hair is lost trying to make apps small enough.
4: Decent Random Numbers: a very good point Brian, and one that many mainstream “secure” mobile java applications fall down on, risking side-port attacks. If you download any of our applications you will find that just like the top PC security applications we always get the user to press a load of keys (or play a game) until we’ve captured enough real entropy to seed our approved Pseudo-Random Number Generator. Again, there will be a future blog.masabi.com post on this.
Thanks for asking such good questions Brian, it’s needed in the security world to make sure people know what they are getting, and discuss the important topics!
If you want to discuss it further you can get me on +44 207 981 9781 or ben (at) masabi.com.
Ben.
Ben Whitaker offers a response to Brian
Hi Brian,
good points, and they deserve answers:
1: serious browsers, operating systems and servers go through certification at some point, maybe not in their earliest release, but the certification process is deemed to be important enough for many to engage and take part. Governments mandate it for their most important systems.
Without standards bodies and 3rd party validation how should users know half decent security from Snake Oil?
2: Yes, the latest phones do have HTTPS, but with issues.
a) Most use RC4, which according to CERT Advisory 565052 shouldn’t be used.
b) It’s slow, requiring multiple connections to start a session. (between 6 and 20 times slower than EncryptME)
c) It can’t encrypt SMS messages.
d) In many cases root certificate problems prevent J2ME apps from using it.
I have posted more detail with references on blog.masabi.com if you are interested.
3: Bouncy Castle is a wonderful thing, but too big to bolt onto an application that wasn’t built around it, and wants to do significantly more than just encrypt. (about 1/3 of all the space in an application would be taken up by BC) Most of a mobile application developer’s hair is lost trying to make apps small enough.
4: Decent Random Numbers: a very good point Brian, and one that many mainstream “secure” mobile java applications fall down on, risking side-port attacks. If you download any of our applications you will find that just like the top PC security applications we always get the user to press a load of keys (or play a game) until we’ve captured enough real entropy to seed our approved Pseudo-Random Number Generator. Again, there will be a future blog.masabi.com post on this.
Thanks for asking such good questions Brian, it’s needed in the security world to make sure people know what they are getting, and discuss the important topics!
If you want to discuss it further you can get me on +44 207 981 9781 or ben (at) masabi.com.
Leave Comment
Commenting Options
Create an avatar that will appear whenever you leave a comment on a Gravatar-enabled blog.