Page 10 - FIGI: Security analysis of the KaiOS feature phone platform for DFS applications Security, Infrastructure and Trust Working Group
P. 10
1.2.2 Smart phones
Smart phones are phones with an advanced set of hardware and software capabil-
ities. Typical features are a touch screen, fingerprint readers, a hardware security
module for storing secrets, fast and diverse data communication technology and a
choice of millions of third-party applications.
Iphone
1.2.3 Feature phones
Feature phones are the intermediate ground between basic and smart phones. They
are built to be affordable but still allow the installation of third-party applications.
They lack hardware features like a touch screen, a fingerprint reader or a hardware
security module. Hundreds third party applications can be installed from application
stores. Most importantly, feature phones are the cheapest way to access the Internet
and are seen as an important tool in bridging the digital divide.
Either feature phones can be used to access DFS by installing the corresponding app
on the phone or accessing a web based DFS. JiO phone running
Whatsapp on KaiOS .
1
2 SECURITY RECOMMENDATIONS FOR DFS
To assess the security of KaiOS for DFS, a set of R 4. Apps should be subjected to external secu-
security criteria required for DFS need to be defined. rity review and penetration testing, and any recom-
The recommendations on DFS put forth in the report mendations acted upon.
on the Security Aspects of Digital Financial Services R 5. Apps should securely manage username
2
of the ITU-T Focus Group Digital Financial Services and password information so that adversaries cannot
can be used as security criteria to assess the security easily forge credentials, and should use strong
of KaiOS operating system. The report makes twenty authentication mechanisms to protect against unau-
recommendations. Below are the nine recommenda- thorized access.
tions specifically dealing with the operating system R 6. Regular security updates are critical to
and the software architecture of a phone. ensure that mobile operating systems running on
user devices operate using the latest security patch-
R 1. Consider the use of strong authentication es.
mechanisms to demonstrate ownership of the device. R 7. Ensure that security libraries offered by the
R 2. Make use of hardware and software mecha- operating system are correctly designed and imple-
nisms within mobile devices, such as secure elements mented and that the cipher suites they support are
and TEEs, which can ensure device integrity, and sufficiently strong.
promote the use of devices equipped with security R 8. The handset operating system should be
features for use in DFS. configured in a way to reduce the size of the trusted
R 3. Whether an application is designed for computing base.
deployment on the handset or secure element, it R 9. Consider transitioning away from mobile
should be designed and implemented in accordance applications that leverage SMS and USSD in favor of
with best practices, including encrypted and authen- solutions that use strong public key cryptography
ticated communication and secure coding practices and end-to-end security.
to harden the app.
8 Security analysis of the KaiOS feature phone platform for DFS applications
