Fides – Unleashing the Full Potential of Remote Attestation

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandForschungBegutachtung

Abstract

In connected mobile app settings, back-ends have no means to reliably verify the integrity of clients. For this reason, services aimed at mobile users employ (unreliable) heuristics to establish trust. We tackle the issue of mobile client trust on the Android platform by harnessing features of current Android devices and show how it is now possible to remotely verify the integrity of mobile client applications at runtime. This makes it possible to perform sensitive operations on devices outside a service operator's control.
We present Fides, which improves the security properties of typical connected applications and foregoes heuristics for determining a device's state such as SafetyNet or root checks.At its core, our work is based on the advancements of Android's key attestation capabilities, which means that it does not impose a performance penalty.Our concept is widely applicable in the real world and does not remain a purely academic thought experiment. We demonstrate this by providing a light-weight, easy-to use library that is freely available as open source software. We have verified that Fides even outperforms the security measures integrated into critical applications like Google Pay.
Originalspracheenglisch
TitelProceedings of the 16th International Joint Conference on e-Business and Telecommunications
Herausgeber (Verlag)SciTePress - Science and Technology Publications
Seiten314--321
Band2: SECRYPT
DOIs
PublikationsstatusVeröffentlicht - Jul 2019

Fingerprint

Application programs
Experiments
Open source software

Dies zitieren

Prünster, B., Palfinger, G., & Kollmann, C. P. (2019). Fides – Unleashing the Full Potential of Remote Attestation. in Proceedings of the 16th International Joint Conference on e-Business and Telecommunications (Band 2: SECRYPT, S. 314--321). SciTePress - Science and Technology Publications. https://doi.org/10.5220/0008121003140321

Fides – Unleashing the Full Potential of Remote Attestation. / Prünster, Bernd; Palfinger, Gerald; Kollmann, Christian Paul.

Proceedings of the 16th International Joint Conference on e-Business and Telecommunications. Band 2: SECRYPT SciTePress - Science and Technology Publications, 2019. S. 314--321.

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandForschungBegutachtung

Prünster, B, Palfinger, G & Kollmann, CP 2019, Fides – Unleashing the Full Potential of Remote Attestation. in Proceedings of the 16th International Joint Conference on e-Business and Telecommunications. Bd. 2: SECRYPT, SciTePress - Science and Technology Publications, S. 314--321. https://doi.org/10.5220/0008121003140321
Prünster B, Palfinger G, Kollmann CP. Fides – Unleashing the Full Potential of Remote Attestation. in Proceedings of the 16th International Joint Conference on e-Business and Telecommunications. Band 2: SECRYPT. SciTePress - Science and Technology Publications. 2019. S. 314--321 https://doi.org/10.5220/0008121003140321
Prünster, Bernd ; Palfinger, Gerald ; Kollmann, Christian Paul. / Fides – Unleashing the Full Potential of Remote Attestation. Proceedings of the 16th International Joint Conference on e-Business and Telecommunications. Band 2: SECRYPT SciTePress - Science and Technology Publications, 2019. S. 314--321
@inproceedings{bd9cf559363147b39a0c22b0d7f7c239,
title = "Fides – Unleashing the Full Potential of Remote Attestation",
abstract = "In connected mobile app settings, back-ends have no means to reliably verify the integrity of clients. For this reason, services aimed at mobile users employ (unreliable) heuristics to establish trust. We tackle the issue of mobile client trust on the Android platform by harnessing features of current Android devices and show how it is now possible to remotely verify the integrity of mobile client applications at runtime. This makes it possible to perform sensitive operations on devices outside a service operator's control.We present Fides, which improves the security properties of typical connected applications and foregoes heuristics for determining a device's state such as SafetyNet or root checks.At its core, our work is based on the advancements of Android's key attestation capabilities, which means that it does not impose a performance penalty.Our concept is widely applicable in the real world and does not remain a purely academic thought experiment. We demonstrate this by providing a light-weight, easy-to use library that is freely available as open source software. We have verified that Fides even outperforms the security measures integrated into critical applications like Google Pay.",
author = "Bernd Pr{\"u}nster and Gerald Palfinger and Kollmann, {Christian Paul}",
year = "2019",
month = "7",
doi = "10.5220/0008121003140321",
language = "English",
volume = "2: SECRYPT",
pages = "314----321",
booktitle = "Proceedings of the 16th International Joint Conference on e-Business and Telecommunications",
publisher = "SciTePress - Science and Technology Publications",

}

TY - GEN

T1 - Fides – Unleashing the Full Potential of Remote Attestation

AU - Prünster, Bernd

AU - Palfinger, Gerald

AU - Kollmann, Christian Paul

PY - 2019/7

Y1 - 2019/7

N2 - In connected mobile app settings, back-ends have no means to reliably verify the integrity of clients. For this reason, services aimed at mobile users employ (unreliable) heuristics to establish trust. We tackle the issue of mobile client trust on the Android platform by harnessing features of current Android devices and show how it is now possible to remotely verify the integrity of mobile client applications at runtime. This makes it possible to perform sensitive operations on devices outside a service operator's control.We present Fides, which improves the security properties of typical connected applications and foregoes heuristics for determining a device's state such as SafetyNet or root checks.At its core, our work is based on the advancements of Android's key attestation capabilities, which means that it does not impose a performance penalty.Our concept is widely applicable in the real world and does not remain a purely academic thought experiment. We demonstrate this by providing a light-weight, easy-to use library that is freely available as open source software. We have verified that Fides even outperforms the security measures integrated into critical applications like Google Pay.

AB - In connected mobile app settings, back-ends have no means to reliably verify the integrity of clients. For this reason, services aimed at mobile users employ (unreliable) heuristics to establish trust. We tackle the issue of mobile client trust on the Android platform by harnessing features of current Android devices and show how it is now possible to remotely verify the integrity of mobile client applications at runtime. This makes it possible to perform sensitive operations on devices outside a service operator's control.We present Fides, which improves the security properties of typical connected applications and foregoes heuristics for determining a device's state such as SafetyNet or root checks.At its core, our work is based on the advancements of Android's key attestation capabilities, which means that it does not impose a performance penalty.Our concept is widely applicable in the real world and does not remain a purely academic thought experiment. We demonstrate this by providing a light-weight, easy-to use library that is freely available as open source software. We have verified that Fides even outperforms the security measures integrated into critical applications like Google Pay.

U2 - 10.5220/0008121003140321

DO - 10.5220/0008121003140321

M3 - Conference contribution

VL - 2: SECRYPT

SP - 314

EP - 321

BT - Proceedings of the 16th International Joint Conference on e-Business and Telecommunications

PB - SciTePress - Science and Technology Publications

ER -