Author: Cem Paya

Cem Payahttps://randomoracle.wordpress.com/Building & breaking systems.
Cem Paya's avatar

Meaningful choice: AppOps, Android permissions and clashing interests (part III)

[continued from part II]

Monetization

Here is a scenario when users and application developers have directly opposed interests, and the platform owner is put into a position of having to arbitrate between these two actors.

Suppose our hypothetical consumer comes across a new mobile application they consider useful. It could boost their work productivity, help connect with friends or provide some entertainment. This person wants to install and user the application on their phone to extract that “utility.” Meanwhile the company who authored that application is interested in deriving revenue from providing that useful application. In an ideal market, consumers can always negotiate and choose between:

  1. “Paid” version where the consumer pays upfront for installing the application and/or pays over time for continued access to the cloud service associated with that app. This is the more customary notion of payment where money exchanges hands.
  2. “Free” version funded by targeted advertising and user-data mining. As with other examples of seemingly “free” lunch, consumers pay dearly in privacy and attention, while avoiding monetary costs. This could involve collecting location information to display advertising based on geographic proximity to stores for example.

Developer’s ultimatum: take it or leave it

Indeed many application have this dual cost structure. Often there is even an upsell within the free version, giving users the opportunity to upgrade to paid version and get rid of advertising  nuisances. But sometimes the decision is made unilaterally by the application developer committing to one of the two models. There is no version of Facebook or Twitter where users can buy their privacy outright, paying to opt-out of data collection and behavioral advertising. For whatever reason Facebook and Twitter have decided that the optimal business strategy is to not charge users for accessing the service, but instead monetize their eyeballs indirectly via advertising. From a transactional perspective, there is nothing wrong or unfair per se about this, as long there is transparency into the terms of the arrangement. Most reputable software publishers will describe in painstaking terms exactly what nefarious data collection practices are implemented in their terms-of-use and privacy policies– which everyone clicks through without reading. Still all that legalese counts as notice, and clicking “I agree” constitutes informed consent on the part of the consumer.

Is there another option available to users dissatisfied with the status quo? There are two ways to interpret that question.

  • Capability, or “can it be done?” Can users continue to enjoy the “useful” functionality provided by an application while opting out of its harmful data-collection practices? This is a clear-cut question of facts, which depends on the nitty-gritty implementation details of  the platform/hardware where the app runs.
  • Ethics, or “should it be done?” Assuming we answer the first question in the affirmative, is it fair game for users to take such measures in the name of privacy “self-defense”? Many people would frown upon exploiting some trick to get paid applications for free. What about interfering with the business model of the developer by installing the application while disabling its ability to be monetized? Here we quickly get into gray areas. There is a  vocal group arguing that no one is hurt by pirating commercial software; surely blocking monetization can not be worse than outright stealing a copy of free (in the beer sense) software to begin with?

Off with their permissions

Android permissions and AppOps-type functionality goes to the heart of the first question. If users could start selectively disabling permissions, instead of having to agree wholesale to take-it-or-leave-it ultimatum from the application developer, they could have the best of both worlds. They can install and use it to get the benefit of the features without having to pay for the privacy harms caused by unwanted data collection.

As the second post pointed out, AppOps is not necessarily the ideal solution here. Bluntly taking away privileges can be disruptive, introducing new error cases into an application that were not  anticipated by its developers. The only way this could work is if the revoked privilege is rarely used or only used under user direction. For example an application may never resort to recording audio or taking pictures unless the user presses a particular button to invoke some specific feature. In that case removing its microphone and camera permissions will not interfere with ordinary usage, while guaranteeing that the application will not be snooping on conversations and scenes in its vicinity. Of course if the application is so predictable and well-behaved , there is no need for AppOps in the first place. Same improved privacy outcome can be obtained by not pressing that button. Meanwhile the more unruly applications that attempt to capture  audio/video randomly and never expect to get an access-denied error (because the developer declared upfront in the application manifest they need those permissions) will quickly run into trouble and crash.

Luckily there are more subtle ways to revoke access without breaking applications. Part I described one approach that creates the illusion of access granted– no unexpected “access-denied” errors to confuse the application– while returning either no data or completely fabricated bogus data which bears no relationship to the user. For Google it would be fairly straightforward to implement some variant of this as an improvement over AppOps. But would it be a wise move? The answer depends on which side one takes.

[continued]

CP

Meaningful choice: AppOps, Android permissions and clashing interests (part II)

Compatibility vs accuracy

Preceding post sketched a hypothetical solution to the AppOps compatibility problem by fabricating bogus data to appease an application when the user has declined permission. This approach does not complicate life for our (hypothetical) beleaguered developer: there are no security exceptions or bizarre error conditions introduced. All of the regular code paths in the application continue to work, only the data returned is “incorrect” in the sense that it does not correspond to the actual state of the world. This model is not entirely transparent; an application could discover that it is in fact in being lied to, depending on the model for generating the fake data. As the saying goes, liars need a good memory. If GPS is reporting a bogus location, this has to be self-consistent over time– no sudden teleportation across the globe– and also consistent with other signals such as IP address of wireless networks the device connects to. Skeptical applications could try to cross-check the reported location against such external indications and user behavior to detect fabrications– looking for restaurant recommendations in San Francisco when the location “reported” by the system is New York.

Still, the design subtly takes away the burden  from developers worried about missing permissions and shifts the balance of power back to users. They are now empowered to reject inappropriate permission requests– just like they could with the more blunt instrument of AppOps– without fear that tweaking permissions may break applications.

Business perspective

Why does Android not implement such a model where permissions can be declined without the unpleasant side-effects of AppOps? That question can not be answered at the technology level. It is more a function of competitive dynamics, of the delicate dance between platform providers vying for expanded market share (in other words Google) on the one hand, and software publishers writing applications that will make that platform more appealing.

Put bluntly, the interests of different actors are not always aligned.

  • Users: Users want to derive maximum benefit from their devices at lowest cost. “Cost” in this context includes not only direct monetary impact– upfront purchase price of phone, ongoing purchases for apps, services and content– but also intangibles such as privacy and quality of experience. For example maintaining control over personal information and not being subjected to intrusive advertising are equally relevant concerns.
  • Developers: Commercial developers are typically driven by profit maximization motives. In the short-term that could entail seemingly contradictory actions such as giving away content without generating any revenue. But these are best viewed as tactical steps supporting a long-term strategy focused on monetizing the user base. That monetization could take place directly by charging for the application and associated services (such as in-game purchases) or it could be indirect, when free content is subsidized by advertising.
    It should also be pointed out that this is not the only type of developer publishing mobile applications. Hobbyists and researchers can be far more interested in building reputation or releasing software out of altruistic motives.
  • Platform owner: Google for Android, but exact same calculus applies to Apple for iOS and MSFT on Windows Phone. Seeks maximum market share for its platform that is consistent with the licensing strategy. For example Android is given away for free to OEMs but there is a compatibility certification to qualify for using the trademark, as well as getting access to Google Play store. Apple by contrast uses an autocratic walled-garden model, where third-party hardware manufacturers can not build handsets using iOS. Microsoft used to charge for Windows Phone– inexplicable for an upstart OS trying to get traction– but that strategy may be changing.

Divided loyalties

Looking more closely at how mobile platforms gain market share, we find the platform owner with divided loyalties, trying to appease multiple constituencies. On the one hand it helps to do right by users. On the other hand, privacy and security considerations are only one of the factors contributing to such decisions. (In particular, it is an often lamented fact of life in the security community that better privacy does not help sell products the same way shiny features can. It remains to be seen to what extent the rude-awakenings inspired by Edward Snowden can change that.) There is an even bigger market distortion caused by the fact that users do not directly pick a platform. That decision is often made by other participants in the ecosystem, such as handset manufacturers who pick what OS to install on their phones– a decision the user can not easily override– and wireless carriers who wield influence by cherry-picking devices to run on their network and subsidizing/promoting the favored ones.

For all participants with a say on whether they will be using Android, iOS, Windows Phone or Blackberry, one important criteria is availability of applications. The greater the selection of apps available on that platform, the more attractive it becomes for users/carriers/handset-manufacturers. This in turn breeds a positive feedback loop: developers want to maximize their audience, so they will primarily target their applications at popular platforms.

In the next post we will argue that Android permissions– specifically ones allowing developers to monetize apps in ways users find objectionable– creates a textbook example of clashing interests between software publishers and users, forcing the platform owner to pick sides.

[continued]

CP

Meaningful choice: AppOps, Android permissions and clashing interests (part I)

The recent furor over Android 4.2.2. removing AppOps is a great example of Lawrence Lessig’s idea of regulation-by-code, when design decisions in technology are used to promote the interests of one particular group– in this case application developers– over another disfavored group, namely users.

First some background on this debacle. Android implements a relatively coarse-grained permission model, controlling what can be done by applications installed on the device. For example an app can be prevented from reading address book, making phone calls, sending text messages, accessing the camera/microphone or using Bluetooth. When this model debuted circa 2007, it represented a significant advance in terms of security models implemented for an off-the-shelf consumer device.

Sure, the academic literature did not lack for examples of elaborate fine-grained sandboxing schemes to control not only whether an application could access local storage but specify exactly which files it could read/write. Yet the state-of-the-art for  PCs and Macs continued to rely on user accounts as the fundamental security boundary. The assumption was any application user runs automatically inherits all access rights available to that user. For example when a Windows application is installed and run, that application executes with the full privileges associated with that account. (In fact since installers typically required administrator privileges, at least for a limited period of time the application had full reign over the machine.) User-account control in Vista, the first attempt to challenge that assumption, ended in disaster with its often ridiculed elevation prompt constantly asking users to make security decisions.

Luckily Android took a different route: applications declare the permissions they require to function, the user only gets to review & approve that once at the time of installation. There are very few situations beyond that when consumers were confronted with security prompts otherwise. (Authenticating with user credentials saved on the device being the primary exception.)

Meaningful choice

But there is a difference between mechanism and policy. While Android allowed specifying permissions at a granular level, it did not allow users to assign permissions at will. There was a very simple negotiation model. The author of the application specified exactly which permissions were required. The user either agreed and installed that application, or they disagreed and walked away. In other words: take it or leave it. This was clearly not a case of “meaningful choice,” in the same way that passengers can opt out of TSA security screening if they agree not to board the airplane. (Strictly speaking if one does not board the flight, they are not a passenger.)

Many people– both inside and outside Google– wandered out loud why Android did not give users more control. For example, why not allow an application to be installed but also remove some egregious privilege requested by the developer? This provides the best of both worlds for the user: she gets the benefit of running the application and avoids the potential privacy harms caused by granting the dangerous permission..

AppOps

And that is exactly what AppOps offered. A hidden feature inside the familiar Android Settings application, it allowed users to view and edit permissions granted to each application.

Too powerful for its own good apparently. Not long after EFF wrote a glowing review calling it “awesome privacy tools” and guiding Android users to third-party applications for unleashing this hidden functionality, a minor system update to Android quietly removed the feature completely. Before the functionality was present but hidden: not exposed to users directly through the standard Android user interface, suggesting that perhaps Google did not consider it ready for prime-time or only intended it for internal experiments. After installing the update it was gone for good, with work-arounds only available on rooted devices.

So what was the problem with AppOps? This question can be answered on two levels: technology and business.

Technology view

Privacy-infringement apologists may point out that allowing applications to be installed with a subset of requested permissions would greatly increase the complexity of writing applications. Instead of a simple model where the application either never gets to run or runs with all requested permissions, the developer has to worry about in-between states where some operation may fail because the user decided to deny that permission. At an implementation level, that translates into added complexity. Permission errors translate into an exception in code, so now the developer is stuck writing additional code to catch this error condition and respond appropriately. (Typically one of: exit the application in disgust, shame the user into granting missing permission or move on without the requested information.)

Why not fabricate data?

There is a simple counter-argument to that objection: if the user declined permission, let’s not trigger a fatal error but instead return bogus or empty data. The application wants to learn the current location but the user does not want to be tracked? Have “GPS” report a random location around the globe. Developer wants a list of all the contacts in the address book? Fabricate “John Doe” friends or report that this user has no contacts. Developer is asking for Bluetooth access? Appear to grant access, but pretend there are no other Bluetooth devices paired to connect to.

[continued]

CP

NFC card emulation and Android 4.4 (part IV)

Part III sketched the mechanics for host-based card emulation (HCE) in Android and how AID routing is used to create an open ecosystem for user-mode applications to offer NFC services. This post will look at some edge-cases of HCE and some differences from the embedded secure element.

Feature parity

A natural question is whether HCE is “equivalent” to embedded SE or UICC from a functional perspective. (It is clearly weaker in terms of security guarantees, a subject for the next post in this series.) There are two different interpretations of that criteria:

  1. Can any application implemented with hardware SE also work with HCE?
  2. Is it possible to distinguish externally whether HCE or hardware SE is in use?

In the first scenario we assume external NFC readers interacting with the device remain fixed. No changes are envisioned to the deployed readers while we switch the phone from using eSE to HCE. This is the model relevant for compatibility. In the second case the NFC reader is going out of its way to try to distinguish between hardware and software-backed implementations.

Edge-cases

Short answer to #1 is yes in principle, but not the way it is currently implemented in Android due to some edge-cases. SELECT semantics in Android HCE are subtly incompatible with the way a Global Platform compliant card-manager behaves.

  • If an application with given AID exists, card manager switches the active context to that one. This is outside the control of the currently selected application.
  • If such an application does not exist, the SELECT command in its entirety is delivered to the currently active application. This is required  because ISO7816 “overloads” SELECT command for simulating a file-system on smart cards. The command corresponds to “directory” traversal (eg change directory) as well as opening a “file” for reading, depending on the currently selected “file.”

The second part does not work with HCE in Android. SELECT routing is handled by the OS and for unknown AIDs a simple error is returned instead of giving the current application an opportunity to respond.

Another difference is that in Global Platform, an application can be installed as “default-selected” meaning that it is automatically activated when the chip is powered on. There is no SELECT required, readers can start sending application-specific commands right away. Several smart card standards including PIV mandate that cards are configured in this manner. Android HCE does not support this. Trying to interact with the phone in HCE mode as if the intended application was already activated (without an explicit SELECT containing the AID as hint to Android) is an error.

Neither of these are fundamental limitations. SELECT behavior can be changed and NFC stack can also define a notion of “default selected application,” along with conflict-resolution rules.

Distinguishing externally

By similar reasoning, distinguishing HCE from hardware SE is trivial in the current Android incarnation: try to select the card manager, either by using its explicit AID (slightly different for each manufacturer such as NXP vs Oberthur) or with empty SELECT per Global Platform. Hardware SE will return the response from the card manager describing its functionality, HCE mode will return an error.

But as noted above this is not a hard limitation. A “card manager” replacement complete with cryptographic keys, secure channels and lifecycle management (so it will appear to be bricked after too many failed authentication attempts) can be implemented at Android level, set as default selected application. To an observer looking only at the content of messages flowing over NFC, this emulation will behave identical to hardware SE.

Of course there are side-channels such as the timing of request/response pairs and other meta-data that can give away the source. For example if eSE supports extended-length APDUs (HCE in Kitkat does not) that discrepancy can be used, or the buffering behavior when reading large APDUs can be different since the host has lots of memory and won’t exhibit a sharp discontinuity when the data suddenly exceeds the size of the limited buffer in eSE.

Coexisting with hardware SE

Interesting enough, Kitkat still allows using the embedded-secure element alongside HCE, perhaps in a nod to backwards compatibility. This mode leverages the AID-routing feature built into the NFC controller, which allows picking a card-emulation route on-the-fly based on AIDs at the hardware level. (Same mechanism used to support applets on both UICC and eSE when multiple chips are connected to the controller.)

All AIDs for applications residing on the secure element need to be declared in the  manifest. Android passes this information straight to the NFC controller; the routing decision is made at hardware level. SELECT commands for these applications will not make it to host operating system. NFC controller internally maintains a table of AIDs and associated routes. It is the responsibility of Android to populate that table based on information collected across all manifests. Any application not explicitly listed is sent up the default route.

There is a catch. NFC controllers have a limited amount of space available for maintaining such tables. The ideal scenario has most applications residing at the default route and not requiring a table-entry, with only a few exceptions listed for redirection. Seen in this light,  decision to use HCE as default and embedded SE as the exception reaffirms the change in emphasis from relying on hardware SE towards host-based designs.

CP

NFC card-emulation and Android 4.4 (part III)

[continued from part II]

Opening the platform to third-parties

eSE nd UICC provide a high-level of security and physical tamper resistance. But the locked-down environment also presents a challenge for enabling a third-party ecosystem of developers. As previous posts explored, installing applications on the embedded secure element or UICC is not a free-for-all. Card “content management” in Global Platform terminology requires knowledge of the unique card manager keys for each particular unit. (This is a simplification; for more details see earlier post.) End users and application developers do not have direct possession of these keys. Instead they are wielded by a trusted third-party dubbed Trusted Services Manager or TSM who is called on to perform the privileged operations of installing, configuring and deleting applications. On paper Global Platform envisions many complex business models where an application provider can contract with TSM to install applets on its behalf. The latest iteration GP2.2 permits supplementary security domains to perform content management. TSM could inject an SSD for each third-party and delegate application management to individual providers.

Making such arrangements work in reality has been a different story. At least for Android, with the exception of proofs-of-concept and internal demos, embedded secure element has been used only for contactless payments with Google Wallet. Similarly UICC/SIM is being used only for enabling the same scenario with a competing product called the ISIS Wallet. If secure elements had been deployed in μSD form-factor, chances are they would not fare any better in supporting an ecosystem of third-party developers. While μSD is a removable component  decoupled from handset manufacturer and carrier, there is still some entity wielding the card manager keys.

Another level of indirection

Compared to the tricky machinations required for third-parties to get their application on Global Platform-compliant secure elements, HCE greatly lowers the bar for adoption. Installing a vanilla Android app is sufficient, accessible to many developers unlike the more stringent criteria of earning the good graces of a wireless carrier. There is no need to coordinate with TSM or get permission from the handset manufacturer. Developers simply declare NFC services implemented by their code. When the phone is interacting with an external NFC reader and receives traffic, the operating system picks the intended destination by using the same trick NFC controller uses to juggle applets spread across two secure elements: AID-based routing.

As far as the NFC controller is concerned, all “host card emulation” traffic is delivered to a single endpoint represented by the Android NFC stack. There is no notion of different wallet applications or other user-level distinctions made. It is up to Android to handle that multiplexing by selectively delivering APDUs to the intended application.

AID routing in Android

Android relies on application manifests to work out this association. Every application interested in acting as a card-emulation target declares the application ID (“AID”) for which it can respond to commands. Much like the NFC controller or card manager, Android looks at the payload of incoming SELECT commands and picks an application for routing based on the AID specified in the command. This is a stateful decision. It affects not just that initial SELECT command but all subsequent APDUs. Traffic is delivered to that application until another SELECT command arrives to switch context to a different applet.

Conflict resolution

This model faces a couple of additional complications at Android level: multiple applications can claim the same AID. This can not arise on an ordinary GP-compliant smart-card. Only one applet can be installed with a given AID and the card manager will error-out on attempting to install a duplicate. Since there is no such thing as a “global-platform card manager” on Android, the system does not detect/stop such collisions. Instead they are handled by the familiar Android pattern of ranking user preference. Nothing prevents the installation of multiple “web-browser” applications claiming to handle http:// URLs but Android will resolve the ambiguity by prompting users. AID conflicts are resolved by a similar system although the user-interface is not well-defined at this point, with the curious exception of payment applications which are given their own real-estate in system settings. All other applications make do with an API to check if they are the preferred application and another API to be prompted to that spot.

AID grouping

Closely related to the problem multiple applications registering for an AID, Android allows “bundling” multiple AIDs such that an application will handle all of them or none of them. This avoids getting into a mix-and-match situation where commands associated with one AID is routed to Android application A, while commands for another one are routed to B due to conflict resolution. Such a mix-up can prevent both A & B from working correctly in scenarios when multiple card applications are involved for a particular scenario.

EMV is a very relevant example of what can go wrong if different AIDs are split across multiple Android applications. During a transaction, the point-of-sale readers first selects the PPSE (Proximity Payment System Environment) application to enumerate the available cards. Then it selects an application corresponding to one of the listed cards to carry out the payment, such as MasterCard Paypass. Consider two mobile wallets installed on the same Android device, each managing its own set of payment instruments. If PPSE implementation from wallet A is used to choose preferred credit card, but then Android switches to wallet B when Paypass AID is selected, the POS will be working with an inconsistent transaction state. (In fact the second wallet may not even have a payment instrument available corresponding to that AID, in which case the transaction will fail.)

[continued]

CP

NFC card-emulation and Android 4.4 (part II)

[continued from part I]

Choosing between multiple routes

To complicate matters, an NFC controller can support multiple connections and switch between them. For example the PN544 was capable of supporting both the UICC and embedded-SE link. The currently active path is called the “card emulation route.” Until ISIS most Android devices hard-coded this to point to the embedded SE. In principle the setting can be toggled at any time; it is not baked into the controller firmware. But until recently Android NFC stack always issued the command to set the route to eSE during boot and did not provide a way to change that later. (Not that it mattered; on most devices there is no physical wire from UICC to NFC controller. Switching the route would have no effect. More recently the presence of that extra wiring is required for ISIS compatibility.) Conversely an early prototype ISIS device this blogger examined  hard-wired the connection to the UICC, guaranteeing that Google Wallet could not run on the device even if the user managed to work around carrier restrictions.

Supporting multiple routes

The preceding discussion makes a simplifying assumption: while multiple secure elements may exist on the phone and attach to the NFC controller, only one of them will ever be used at a time. For example if the user has a payment application residing on the embedded SE and an identity application on the UICC, exactly one of them is externally accessible to an NFC reader at any given time. At best the user has access to some switch in the mobile operating system to toggle between these two options ahead of time, before the tap event.

Luckily one need not rely on such advance planning from the user. Modern NFC controllers have additional smarts to allow multiple card-emulation targets to coexist at the same time. The trick involves implementing the equivalent of content-inspection on incoming ISO7816 commands. Earlier we mentioned that the controller functions as a router, merely shuttling NFC traffic from another nearby peer to its ultimate destination. In reality modern controllers are not passive conduits; they peek at the messages flowing through and make decisions based on the payload.

Deep-packet-inspection, NFC style

That functionality is useful even when there is a single secure element in the picture. Here is a basic user-experience problem for tap-and-pay: when the user taps their device against a point-of-sale terminal and starts a payment event, it is often necessary for an Android application to intervene. For example the user may need to be prompted to enter their PIN if the operation was declined. After the transaction goes through, the application may want to display a confirmation. Minor problem: in card-emulation mode the host does not have any visibility into traffic being sent to the secure element. Incoming requests are delivered directly to the SE, where the responses also originate without ever bubbling up to the host. The user-interface for our hypothetical wallet application would have no idea that the user just tried to make a purchase.

Getting a handle on SE events

Luckily system designers anticipated that problem and introduced some notifications, which are in turn incorporate to the Android NFC stack in the form of notifications delivered to associated applications. Specific triggers include:

The first two notifications may look promising, without requiring any traffic inspection. RF field presence is about registering the existence of a change in physical environment. If payments were the only application, that would have been sufficient signal to conclude that the user attempted a transaction. (Of course in retrospect that is exactly the only scenario Android eSE was used for on any large scale.) Imagine a more ambitious vision when the SE serves both payment and public-transit scenarios, each of with a corresponding Android user-mode application. Depending on whether the user tapped a cash register or turnstile in the subway, the system needs to wake up the correct app to present additional UI.

That calls for looking at the contents of incoming traffic. Per ISO7816 SELECT commands are used to activate applications. By looking at the application identifier or “AID” specified in that APDU we can determine what type of transaction an external reader attempted. That is effectively the third notification above: it contains the AID for the specific applet selected. (As an aside, on Android only privileged applications whitelisted for NFC-extras receive these intents.) This allows applications to bring up UI– for example PIN entry in the case of Google Wallet– only when they can be certain their own SE applets have been invoked, as opposed to just any random applet.

That was an example where the NFC controller is parsing the contents of a request APDU coming over NFC and bubbling-up a notification to the host. It is also one of the exceptions to a principle described in the first blog post: host does not have visibility into external NFC traffic addressed to the SE in card-emulation mode. (Incidentally Android source code has references to another notification called “APDU received” which promises to return the full contents of an incoming NFC request. It is not implemented, and in fact can not be implemented because most NFC controllers do not have such a capability.)

The next post will describe how this capability in the NFC controlled enables supporting multiple SE simultaneous, as well as allowing SE applications to coexist with host-card emulation.

[continued]

CP

NFC card-emulation and Android 4.4 (part I)

[Full disclosure: This blogger worked on Google Wallet 2011-2013.]

Android version 4.4 dubbed Kitkat has recently introduced a new (at least “new” for the official Android distribution) NFC feature called host-based card emulation or HCE for short. HCE is  the basis for a different approach to contactless payments, a pivot away from the original strategy based on the embedded secure element. The first signs of that shift arrived earlier this summer with a curious change in the Nexus 7 hardware specs. Previous Nexus devices starting with Nexus S all contained an embedded secure element, a critical feature leveraged by Google Wallet for NFC payments. While the tablet form-factor is arguably less convenient for tapping against a point-of-sale terminal– and Wallet even ran on the larger Nexus 10 tablet– the SE was also present in the original Nexus 7 in 2012. Fast forward one year, it was conspicuously absent from the update released in July. Similarly the flagship Nexus 5 launched without an embedded secure element, becoming the first pure Google-experience phone to shed the SE.

This is unfortunate for mobile device security in general; an embedded secure element has many applications beyond NFC payments. There is a fascinating lesson in market-dynamics here: how a consortium of US wireless carriers invested in a rival payment project called ISIS successfully thwarted the deployment of an important security technology. But that is a discussion for a different time. This post will focus on the mechanics of HCE and subtle interactions from trying to coexist with embedded SE or SIM-based applications on the same device.

Card-emulation options

In card-emulation mode an NFC controller simulates the behavior of an ISO-14443 smartcard. This allows mobile devices to substitute for standalone plastic cards and dongles used in traditional security applications such as EMV payments, US government PIV card, public-transit, physical access with badge-readers and logging into a personal computer. Grossly oversimplified, that involves tunneling ISO7816 commands over NFC  to some application sitting behind the controller. This is where the different hardware options come into play. An NFC controller is just a gateway; it is not a general-purpose computing environment where applications get installed. The actual “card application” lives on some other piece of hardware that is wired to the controller. For example:

  1. Embedded secure-element or eSE for short, typically part of the same hardware as NFC controller. This was the original approach taken with Android devices. For example Nexus S and Galaxy Nexus feature a PN65N chip from NXP Semiconductors, combining the PN544 controller coupled to a SmartMX secure execution environment.
  2. UICC or glorified SIM card with additional  features. Single Wire Protocol (SWP) is the standard for connecting connect UICC & NFC controllers. This is the approach taken by ISIS for its mobile payment application.
  3. Special micro-SD cards containing a secure element. No production Android device operates in this configuration, but µSD cards such as Tyfone SideTap have certain advantages. They are easily moved between devices and they are not tied to the mobile carrier or handset manufacturer.
  4. Host-based card emulation. Originally implemented by SimplyTapp as a patch on top of Cyanogenmod 9, and now independently implemented by Google for Android 4.4. Incoming NFC traffic from external reader is delivered to the host operating-system which generates the response.

Direct connection and security implications

One important detail about the first three options above stands in sharp contrast to host-based card emulation. In these modes data sent/received does not travel through the host operating system. In other words, it is not the case that eSE outputs data to Android which in turn forwards that packet over to NFC controller for transmission over the air. Links to/from  eSE/UICC/µSD are direct. Android never sees that traffic. This is an important security feature. Consider a payment application implemented on the eSE. Such an application communicates sensitive financial information to a point-of-sale terminal during payment transactions, including credit card numbers. If that data was routed through the host OS, malware running on the host could observe it. This property is enforced by the firmware of the NFC controller itself; it is independent of any Android-side behavior. Not even malware running with Android kernel privileges can change that.

Interestingly the converse property for incoming traffic does not hold. Before the user taps their phone against an NFC reader, host malware could have switched the NFC controller into HCE mode to gobble up data intended for the eSE. But even in this scenario a weaker guarantee holds: a given command is delivered either to the eSE or the host operating system, but not both.

Another subtlety: there is also a connection from the host the embedded secure element that allows host OS to speak ISO7816 and exchange APDUs with the SE directly. At first this appears to enable a man-in-the-middle attack executed by host applications: malware receives traffic from external reader in HCE mode, accesses the SE directly over the host-interface and forwards same command as if it were received directly over NFC radio. Incidentally this hypothetical example assumes malware has already breached Android security, and is executing with root privileges. Ordinary apps on non-rooted device are limited to the subset of operations exposed by the NFC stack. There is no permission defined to allow privileged operations such as switching controller state. Even under these generous assumptions, the attack fails for a different reason. Applications running on SE can determine whether any given command is received over the “wired” interface– connected to the host– or “contactless” interface attached to the NFC antenna. So-called interface detection logic is an integral aspect of many standards including EMV. It is critical for keeping the host operating system out of the threat model. (There is also the incidental fact that changing NFC controller mode on PN65N/O will reset the secure element, losing application state and further frustrating attempts to relay commands. But it is unwise to rely on such hardware idiosyncrasies.)

[continued]

CP

Privacy and HTTP Referer header (2/2)

First part of this post left off with the question of whether blocking Referer header with client-side tweaks is a useful feature. There is a long history of vilifying Referer header in the name of security. Some personal firewall suites implemented this pseudo-mitigation, as does one experimental web-browser, a Firefox add-on and one Chrome extension. In the standards realm, an Origin response header was proposed to convey a subset of the same information, leaving out file and query-string parts of the URL. HTML5 working group also jumped into the fray with a new noreferer attribute to allow website authors to designate when Referer is suppressed.

Getting by without Referer

Paradoxically as referrer information became more valuable to advertising-based business models, the Referer header itself became less critical. It turns out same information can be conveyed in alternative ways provided the originating website cooperates. For example the identity of the website containing the link can be appended to the URL as query-string parameter. This parameter could be the verbatim representation of Referer or some shortened representation both sides agree on. In the case of a banner ad, the advertising network is crafting the final URL that users will be taken to after clicking on the link. Depending on arrangement, the advertiser paying for this service can receive additional information about the user– including current page where they encountered the display ad– incorporated into the query-string at the end of that URL.

Standard header vs home-brew alternatives

Referer header provides this functionality for free, without either site having to do any extra work to stuff more information into query strings. There are certain advantages to relying on that built-in functionality. For example if affiliate websites are getting paid based on amount traffic they drove to the destination, there is an incentive to fraudulently inflate those figures. Tweaking the query-string to create the impression that a particular visit originated from any desired origin is trivial. Referer by contrast is chosen by the visitor’s  web browser and can not be influenced by the originating page. (Note this assumes the affiliate is counting on real users to inflate the statistics, who are running unmodified “honest” web browsers getting bounced off to the real target. Of course the affiliate could maintain its own bot army of modified web-browsers that forge requests with bogus Referer headers. But such artificial streams are easier to detect due to lack of IP diversity, among other anomalies.)

Omitted by design

Referer header is also omitted in certain situations, such as going from an HTTPS page using encryption to plain HTTP page in the clear. This is an intentional security measure, to protect personal information from a secure connection leaking out on a subsequent request in the clear. Similarly Referer is not modified during redirection chains, which can have surprising effects: if page A redirects to page B using an HTTP response status code 302 and page B in turn directs to C, the final Referer observed by C will be A instead of B. In these situations it is critical to use a different mechanism for conveying information about the path a particular user traveled. (Incidentally this is also why cross-site request forgery can not rely solely on checking the Referer header. The header does serve as a reliable indicator of whether a request originated externally when present— modulo client-side bugs that allow forging the header as in this Flash example. But there are legitimate cases when the header is missing by design. Rejecting these would be a false negative.)

Partial solutions

Combining the previous two observations, Referer header is neither necessary nor sufficient for contemporary web tracking scenarios. Returning to the question of whether vilifying the Referer and stripping it out is doing any good: there is a marginal benefit for stopping accidental leaks. These are security vulnerabilities where sensitive information intended only for one website is unintentionally divulged to a third-party by sourcing embedded content or clicking on links. Diligently suppressing the header from every request will defend against these oversights. But it does nothing to prevent deliberate information sharing, when the websites in question are colluding to track users. That happens to be exactly the arrangement between a publisher offering advertising space on its pages and the advertising network providing the content for that slot. Since there is an incentive to provide necessary information to the advertiser, the publisher can do that by using the link, avoiding any dependence on the unreliable Referer header.

HTTP cookies and equivalent functionality which can be used to emulate cookies– DOM storage, Flash cookies etc.– are far more critical for tracking. This is why the advertising industry panics whenever a major browser considers mucking with cookie settings in the name of privacy. Referer header on the other hand is largely historic, incidental behavior in web browsers which has been superseded by improved proprietary designs to achieve the same purpose.

CP

Privacy and HTTP Referer header (1/2)

HTTP Referer [sic] header has become something of a favorite villain in web privacy controversies. Misspelled with a single “r” due to historical reasons, the evolution of this header is an interesting example of how features can have unintended side-effects. Introduced in  HTTP/1.0, the first version standardized by IETF, it was intended as a diagnostics mechanism:

This allows a server to generate lists of back-links to resources for interest, logging, optimized caching, etc. It also allows obsolete or mistyped links to be traced for maintenance.

When a user clicks on a link from one site to visit another, her web browser transmits a hint to the effect that “I followed a link from this other page to arrive here.” In the early vision of the web as a small, friendly place populated by academic researchers, one could imagine a web administrator reaching out to another to thank them for bringing new users to their site. Or they could politely inform their counterpart that a page they linked to has been moved or deleted, to suggest that the outdated link be corrected. (As an aside this is also the solution to an imagined problem that troubles Jaron Lanier in Who owns the future? In his critique of the web as a platform for enabling exploitation of content creators, the author cites the unidirectional nature of hyperlinks as root cause of an imbalance of power. Google profits by sending users to other websites where the real content of interest is located, but the authors who painstakingly created that content in the first place do not share in the economic gains. Lanier incorrectly assumed this is because sites can not identify the “source” to be credited for bringing users. But this is exactly what the Referer header does. Incidentally Tim-Berners Lee originally envisioned hyperlinks as bidirectional, and Referer can be viewed as a way to approximate that approach.)

The web today is not exactly the collegiate, friendly community from 1993. Trying to fix every broken incoming link by tracking down the authors would be a lost cause. Yet there are still benefits to knowing where traffic has originated from. Contemporary business models for websites depend heavily on monetizing traffic indirectly, for example by advertising or mining user-data. Scaling that effort in turn involves running various campaigns to generate traffic and bring in more “eyeballs” in industry parlance. Knowing where that traffic originated can help the website better optimize its customer acquisition plans. For example they can distinguish between users clicking on simple text ads on Google, verses rich banner ads or social media mentions. The same argument applies for embedded content. When one page includes an image, video or other web content provided by another page, the latter gets to learn about the identity of that first-party using its content.

Intentional leakage

As is often the case in policy issues, one person’s brilliant marketing idea is another’s privacy nightmare. What made the Referer seem like a good idea in 1993 is exactly the same reason it poses a privacy problem: it allows sites to learn users’ navigation patterns. To be clear, this header alone is not enough for tracking. It takes cookies and reuse of the same third-party content from multiple sites that allows building up such a profile. Much to the dismay of privacy advocates, that scenario arises quite frequently in the context of advertising networks. For example DoubleClick— acquired by Google in 2008– provides banner ads for tens of thousands of websites. These ads are included by the publisher— the original website the user visited– embedding third-party content on their pages hosted by DoubleClick servers. When a web browser is rendering that publisher page, requests are made to DoubleClick with Referer header bearing the address of the publisher. (As we will see in the second half of this post, this is not the only way for DoubleClick to find out the originating party.) DoubleClick maintains a long-lived third-party cookie for identifying visitors across different sessions. Each time a new Referer is encountered for an ad impression associated with that particular cookie, the advertiser can make a note of the website the user happened to be visiting. Multiply this by thousands of websites embedding banner ads, you get a comprehensive picture of one user’s web surfing behavior, indexed by the unique identifier in that cookie.

Accidental leakage

There is a different type of information disclosure that the referer header can introduce, which is not intended by the origin or destination websites. This happens when secret information used for  access-control are encoded in the query-string portion of the URL. For example it could be an authentication token, password-reset code or other secret used for access control. Consider what happens when such a page embeds content from a third-party website such as an image. When fetching that resource, browser sends a Referer header containing the complete URL (minus fragment identifier) of the current page. Because that includes sensitive data carried in the query-string, the third-party website is now able to impersonate the user or otherwise access private user information stored at the originating site. This type of vulnerability is called a referrer leak. Same outcome happens with a delay if the user were to click on a link from that page to navigate to an external site. There are a couple ways to mitigate this risk. Using a POST instead of GET will keep sensitive form parameters in the content of the form, instead of as part of the URL. Another option is to diligently perform another redirect back to the current page, minus any sensitive query-string parameters. This only works if these parameters can be stashed someplace else such as in a cookie, since they are typically an integral part of the flow.

But given broader privacy concerns with Referer, does it make sense to deprecate this header altogether? In the second part of this post, we will look at some attempts at doing that and argue they are fundamentally incapable of addressing the privacy problem.

[continued]

CP

NFC payments on personal machines: PCI versus innovation (part III)

[continued from part II]

Previous post in this series left off with a discussion of card-present versus card-not-present transaction models for accepting contactless payments directly from end-user machines. That becomes a segue into the broader problem of how exactly the payment network (in other words MasterCard, Visa, American Express) would treat such transactions. Assuming payment processors and websites are willing to make necessary changes to enable this scenario end-to-end– itself an uncertain prospect– should such transactions be treated the same as other Internet purchases? There are at least three scenarios.

1. Optimistic

View these as card-present transactions. Earlier we pointed out the backwards compatibility of some EMV payment protocols. Specifically they produce an emulated “track data” complete with CVC3 (dynamic CVC) that is compatible with the format obtained by swiping a plain magnetic-stripe card. Naively that would suggest one could implement contactless payments  by forwarding this track 1 & 2 data to the payment processor and run it as ordinary card-present transaction conducted at point-of-sale terminal.

But the distinction between card-present and card-not-present goes beyond protocol minutia. It has fundamental implications for the economics of the transaction: CNP typically incurs higher interchange fees, faces greater fraud risks (consequently subject to different thresholds from fraud-detection systems operated by the issuer) and places burden of proof on the merchant in case of consumers disputing a transaction. In this case the card-holder is not physically “present” on any merchant premises. They may well be carrying out the transaction from anywhere around the world on their NFC-equipped laptop. Conferring CP status just because the protocol happens to be compatible seems unwarranted.

2. Status quo

A more cautious approach is to continue treating these transactions as standard CNP, leaving intact the existing distribution of risk skewed towards the merchant. This allows for a more cautious transition on a schedule decided by merchants. Since the economics and liability are identical to credit card numbers typed into an old-fashioned HTML form, it is up to each merchant to determine if there is an advantage to accepting NFC.

Strictly speaking EMV protocols– even the backwards compatible variants– are safer than the status quo for Internet transactions. Instead of typing in the same fixed payment information for each transaction (credit card number, expiration date and CVC2) a unique CVC3 value and sequence-counter are returned from the card. Even if one of these falls into the wrong hands due to a breach of merchant website or malware running on the machine used by the customer, it is not possible for miscreants to reuse the same values to perform another purchase. More importantly that CVC3 is computed as a function of a challenge from the “point-of-sale” terminal. By choosing the challenge the website (or payment processor, depending on design) can achieve higher degree of assurance that the response is indeed generated in real-time by the card, instead of being replayed from a past transaction.

Still there is a cost to accepting NFC payments, especially initially when few customers will be in a position to take advantage of them. Not only do they need laptops or phones equipped with NFC readers, they need to have credit cards with contactless payment capability– something that is entirely under control of the issuer. It is unclear if reduction in risk would justify the extra cost for such niche functionality. (On the other hand offering card-present treatment does create a far more compelling value proposition for merchants, especially online where profit margins are very tight. Even small reductions in interchange fee can translate into significant savings.)

3. Pessimistic

Under the most strict interpretation, payment networks could outright forbid such transactions, declaring that contactless payments are only intended to be carried out at a retail location against “approved” point-of-sale hardware that has been certified by the network. This is where PCI requirements come in. PCI council has published a series of guidelines and recommendations on when mobile devices can serve as point-of-sale terminals. If the end-user hardware is interpreted as “point-of-sale terminal” then a specific PCI mandates apply, as well as individual recommendations from different payment networks. For example MasterCard best-practices require that PIN entry take place on approved external PIN-entry devices only, specifically ruling out commodity mobile devices.

There is a good argument that end-user devices should not be subject to POS criteria. This is not a case where the merchant is buying dedicated equipment for processing transactions. POS rules exist because such equipment concentrates and re-distributes risk. Cash-registers are produced by a manufacturer, installed at a merchant location and then used by thousands of individual customers who stand to lose from a security breach. By contrast the security of an end-user machine user for online purchases affects a small number of people using that particular machine.

It will come down to interpretation and partially, enforcement. Strictly speaking the original incarnation of Square would have been disallowed by these rules. The plastic dongles the company is known for used to pass track-data   read from the card straight to an application running on iPhone or iPad, without any encryption. This design was obvious susceptible to malware running on the host machine. Later incarnations adopted encryption, reducing dependence on host security while still running on off-the-shelf iOS devices. But even before that particular improvement, it was arguably too late to cry foul over alleged PCI infractions– and in this case there is no question that the device qualifies as dedicated POS system. Square created a new market by capturing the long-tail of small merchants who had never accepted credit cards before. This new segment generated significant interchange revenues for payment networks. As long as observed fraud remained manageable, it would have been quite unwise for networks to shutter the system by nitpicking over PCI requirements intended to mitigate hypothetical future attacks.

CP