ZertApps – Project description
The strong increase in the distribution of smartphones and easily installable applications (apps) carry by the large number of, often unknown, providers for the Consumer, as well as for usage in enterprises, significant risks. Accordingly to current reports more and more vulnerabilities occur in apps that are very widespread, an example is the WhatsApp Messenger and even safety-critical apps for payment processes cannot be protected against faulty implementations of SSL encryption.
In summary one can say that the safety of apps cannot be guaranteed with existing techniques. The aim of the research project ZertApps is to fundamentally and comprehensively deal with the theme “Security Analysis of Mobile Applications” and to develop an analysis and certification platform for apps. Therefore, the entire supply chain from development to the deployment of apps shall be covered and certificates will be awarded for the safety of apps. The initial focus is on the Android operating system, but it is planned to transfer the findings to iOS.
In this project it is planned to combine static preliminary analyzes for apps with dynamic analyzes on the device itself. This way a malware app cannot miss detection: An attack will be eventually detected when it comes to execution of the app. Hereby, the dynamic analyzes are statically optimized, if an app has been programmed so that it satisfies (partly) provable a security policy, the dynamic testing of this Directive are omitted (in these parts). In addition cross-technology safety analyzes will be developed to investigate hybrid apps in its entirety. The different ways of communication of a smartphone with the outside world such as Internet, SMS / MMS, Bluetooth or Near Field Communication (NFC) makes the task more complex but also more interesting.
The consortium is well set up to manage these challenging goals successfully. On the one hand, the above mentioned supply chain is completely covered, as with OTARIS an app maker, with privacy cert testing laboratory (with several years of experience in the field of the Common Criteria) and with SAP, a market operator (SAP Enterprise App Store) and a provider of a Device Management solution (SAP Afaria and SAP Mobile Platform) are involved in the project. On the other hand, the research partners can demonstrate a profound expertise in the relevant subject. The BSI considers the project idea as relevant and has agreed to participate in an advisory capacity to the project.
Duration: 01.01.2014 – 31.12.2015
Partner: OTARIS Interactive Services GmbH, datenschutz cert GmbH, SAP AG, Fraunhofer-Institut für Sichere Informationstechnologie SIT, TU Darmstadt