security of mobility as a service maas
play

Security of Mobility-as-a-Service(MaaS) applications on Mobile - PowerPoint PPT Presentation

Apr 07, 2024 •266 likes •522 views

Security of Mobility-as-a-Service(MaaS) applications on Mobile Phones. Alexander Blaauwgeers alexander.blaauwgeers@os3.nl University of Amsterdam Student Presentation for Research Project 1 RP1 Project Presentation Supervisor: Alex

  1. Security of Mobility-as-a-Service(MaaS) applications on Mobile Phones. Alexander Blaauwgeers alexander.blaauwgeers@os3.nl University of Amsterdam Student Presentation for Research Project 1 RP1 Project Presentation Supervisor: Alex Stavroulakis November 13, 2019 B.A. Blaauwgeers (UvA) Privacy of MaaS Apps November 13, 2019 1 / 24

  2. Introduction: MaaS... s / r i j - p k e e l n - e g t e n - e o e i r - g e r b / u n l n . . v w w / w : / p s t t h https://www.nrc.nl/nieuws/2015/04/27/gebruik-jij-uber-airbnb-peerby-dan-ben-je-een-v-1490577-a406752 B.A. Blaauwgeers (UvA) Privacy of MaaS Apps November 13, 2019 2 / 24

  3. Introduction: The Problem... ”Under new city rules, every company with a permit to rent out scooters or shared bicycles must send data to transportation officials on every trip the vehicles make.” 2 2 Source: https://www.latimes.com/local/lanow/la-me-ln-los-angeles-scooter-surveillance- privacy-20190315-story.html B.A. Blaauwgeers (UvA) Privacy of MaaS Apps November 13, 2019 3 / 24

  4. Related Work Costantini 3 has written in his overview that the data of MaaS has such huge economic value . Which makes it important to establish regulations and restrictions on if and how such information should be transferred or shared with other parties for commercial purposes. GDPR 4 provided companies specific criteria and rules which state that users (Data subjects) have the right to know what personal data companies store and process. This includes the source of their personal data, the purpose of processing, and the length of time the data will be held, among other items. Most importantly, they have a right to be provided with the personal data of theirs that companies are processing. 3 Federico Costantini. “MaaS and GDPR: an overview”. arXiv:1711.02950 (2017) 4 Right of access by the data subject (art. 15 GDPR) https://gdpr.eu/article-15-right-of-access/ (visited on 09/23/2019) B.A. Blaauwgeers (UvA) Privacy of MaaS Apps November 13, 2019 4 / 24

  5. Research question The main question for this research is: What type of personal information is collected by Mobility-as-a-Service (MaaS) applications, how is this data secured and is this data necessary to operate the service offered to the user? The research question can be divided into multiple sub-questions: What kind of MaaS applications are available and what service do they offer 1 to the user? What techniques are used to securely send personal information? And 2 how can these techniques be bypassed ? What kind of personal information is collected and send the the MaaS 3 applications by looking at their traffic and data storage ? If collected, Is this data necessary to preform the service offered to the user? 4 B.A. Blaauwgeers (UvA) Privacy of MaaS Apps November 13, 2019 5 / 24

  6. Classification of MaaS Sochor[ ? ] has written in her topological approach about the different viewpoints to classify MaaS applications. She writes that you can differ them By Service By the level of Integration She defined the following levels of integration; Integration of information 1 Integration of booking and payment 2 Integration of the service offer 3 Integration of societal goals 4 B.A. Blaauwgeers (UvA) Privacy of MaaS Apps November 13, 2019 6 / 24

  7. Examples of MasS Applications for Android (longlist) Beat 5 1 Bolt 6 2 YandexTaxi 7 3 Uber 8 4 NSapp 9 5 OVapi 10 6 Lime 11 7 5 https://thebeat.co 6 https://bolt.eu 7 https://taxi.yandex.com 8 https://uber.com 9 https://www.ns.nl 10 https://ovapi.nl 11 https://www.li.me B.A. Blaauwgeers (UvA) Privacy of MaaS Apps November 13, 2019 7 / 24

  8. Methods: Test environment (Overview) Figure: Our test environment B.A. Blaauwgeers (UvA) Privacy of MaaS Apps November 13, 2019 8 / 24

  9. Android Security Improvement ” By default, secure connections (using protocols like TLS and HTTPS) from all apps trust the pre-installed system CAs, and apps targeting Android 6.0 (API level 23) and lower also trust the user-added CA store by default.” 12 Impact Limitation of this that the Phone needs to be rooted Uber had some problem/protection during the experiment. 12 https://developer.android.com/training/articles/security-config.html B.A. Blaauwgeers (UvA) Privacy of MaaS Apps November 13, 2019 9 / 24

  10. Methods: Test environment (Detail) 1/2 To conduct the experiment we used the following tools have been used; SOFTWARE T 1 : Frida Framework Frida[ ? ] is a framework, used by pen-testers, to inject your foreign code and scripts into black box processes. This framework is used to bypass SSL certificate pinning within some applications. T 2 : Android Debugger (adb) Android Debug Bridge(adb)[ ? ] is a command-line tool that lets you communicate with an android device for which it provides access to the Unix shell. Adb has been installed as part of the AndroidTools[ ? ] packages which help run Debian in a chroot on Android. AndroidTools is based on the Android SDK. T 3 : FakeGPS FakeGPS[ ? ] is a Android tool to fake GPS location. T 4 : BurpSuite BurpSuite[ ? ] is a Java based application used to test and analyse the security of applications. It is used as Man-in-the-Middle(MitM) proxy. T 5 : Google Play Store(Android App Market) The experiments have been conducted on the latest original version off the apps. Downloaded at 10 October 2019 from the Google Play store. B.A. Blaauwgeers (UvA) Privacy of MaaS Apps November 13, 2019 10 / 24

  11. Methods: Test environment (Detail) 2/2 To conduct the experiment we used the following tools have been used; HARDWARE T 5 : Phone: HTC10 Running android 8.0 T 6 : Vodafone Mobile SIM A Dutch simcard to receive SMS text messages during the project. This card was not used before. T 6 : Genymotion Android Emulator Genymotion is an Android Emulator. It can be used to emulate Android applications in a sandboxed environment. The emulator was only used in the initial phase of the project. T 7 : Generic Desktop with Ubuntu Linux B.A. Blaauwgeers (UvA) Privacy of MaaS Apps November 13, 2019 11 / 24

  12. Results 1a: Network Yandex B.A. Blaauwgeers (UvA) Privacy of MaaS Apps November 13, 2019 12 / 24

  13. Results 1b: Network Yandex B.A. Blaauwgeers (UvA) Privacy of MaaS Apps November 13, 2019 13 / 24

  14. Results 2: Other apps TaxiBeat userid=sdkfjklfjklsdfjskldf apps=com.uberca b B.A. Blaauwgeers (UvA) Privacy of MaaS Apps November 13, 2019 14 / 24

  15. Results 3a: Registration TaxiBeat Yandex B.A. Blaauwgeers (UvA) Privacy of MaaS Apps November 13, 2019 15 / 24

  16. Results 3b: Authentication Token TaxiBeat Yandex B.A. Blaauwgeers (UvA) Privacy of MaaS Apps November 13, 2019 16 / 24

  17. Results 3c: SMS Bla BLa B.A. Blaauwgeers (UvA) Privacy of MaaS Apps November 13, 2019 17 / 24

  18. Results 3d: Script We can see the output of the script in on the next slide B.A. Blaauwgeers (UvA) Privacy of MaaS Apps November 13, 2019 18 / 24

  19. Results 3e: Output We can see the output of the script in on the next slide B.A. Blaauwgeers (UvA) Privacy of MaaS Apps November 13, 2019 19 / 24

  20. Results 3f: RFC 6749 10.10. Credentials-Guessing Attacks The authorization server MUST prevent attackers from guessing access tokens, authorization codes, refresh tokens, resource owner passwords, and client credentials. B.A. Blaauwgeers (UvA) Privacy of MaaS Apps November 13, 2019 20 / 24

  21. Discussion Improper Platform Usage Unintended Data Leakage Insecure Authentication Example of a credential guessing attack B.A. Blaauwgeers (UvA) Privacy of MaaS Apps November 13, 2019 21 / 24

  22. Conclusion The main question for this research is: What type of personal information is collected by Mobility-as-a-Service (MaaS) applications, how is this data secured and is this data necessary to operate the service offered to the user? The research question can be divided into multiple sub-questions: What kind of MaaS applications are available and what service do they offer 1 to the user? What techniques are used to securely send personal information? And 2 how can these techniques be bypassed ? What kind of personal information is collected and send the the MaaS 3 applications by looking at their traffic and data storage ? If collected, Is this data necessary to preform the service offered to the user? 4 B.A. Blaauwgeers (UvA) Privacy of MaaS Apps November 13, 2019 22 / 24

  23. Future work What is the minimal need of information for MaaS Applications? What is inside the Yandex Blob? GDPR Audit; with a experienced Law viewpoint? More applications; Other mobile platforms; Web only applications; B.A. Blaauwgeers (UvA) Privacy of MaaS Apps November 13, 2019 23 / 24

  24. Closing Thank you for your attention Questions B.A. Blaauwgeers (UvA) Privacy of MaaS Apps November 13, 2019 24 / 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MaaS: Governance & Contracts Andrew Page Lucy Pegler Senior Associate Future Mobility Lead

MaaS: Governance & Contracts Andrew Page Lucy Pegler Senior Associate Future Mobility Lead

MaaS: Governance & Contracts Andrew Page Lucy Pegler Senior Associate Future Mobility Lead Burges Salmon LLP Policy, Strategy & Innovation What is MaaS? Mobility as a Service (MaaS) is the integration of various forms of transport

472 views • 29 slides
www.maas-scotland.com info@maas-scotland.com

www.maas-scotland.com info@maas-scotland.com

www.maas-scotland.com info@maas-scotland.com @MaaSScotland Outline of the day Introducing a mobility revolution Tea/Coffee The role of central and local government in MaaS MaaS in

330 views • 11 slides
Summary Introduction MobilityOverview Focus on Mobility as a Service (MaaS) MoovaProduct

Summary Introduction MobilityOverview Focus on Mobility as a Service (MaaS) MoovaProduct

Summary Introduction MobilityOverview Focus on Mobility as a Service (MaaS) MoovaProduct MoovaImpact Areas DigitalizationImpacts DigitalizationBenefits 2 Introduction - Digitalization expectation Why companies trend is moving towards

533 views • 20 slides
MaaS in Vienna An introduction to Upstream Gerald Stckl Mobility can now be seen as an

MaaS in Vienna An introduction to Upstream Gerald Stckl Mobility can now be seen as an

MaaS in Vienna An introduction to Upstream Gerald Stckl Mobility can now be seen as an information service with physical transportation products, rather than a transportation product with additional services. The Role of

351 views • 6 slides
The Internet of Mobility Unlock the potential of MaaS Jeremy Dalton Method City / TravelSpirit

The Internet of Mobility Unlock the potential of MaaS Jeremy Dalton Method City / TravelSpirit

The Internet of Mobility Unlock the potential of MaaS Jeremy Dalton Method City / TravelSpirit June 11, 2018 jeremy@method.city Universal Mobility as a Service Open Innovation Global Community Local Benefit travelspirit.foundation We

525 views • 19 slides
MOBILITY AS A SERVICE EXPLORING THE OPPORTUNITY FOR M AA S IN THE UK STEVE YIANNI (CEO) JAMES

MOBILITY AS A SERVICE EXPLORING THE OPPORTUNITY FOR M AA S IN THE UK STEVE YIANNI (CEO) JAMES

MOBILITY AS A SERVICE EXPLORING THE OPPORTUNITY FOR M AA S IN THE UK STEVE YIANNI (CEO) JAMES DATSON (MAAS LEAD) WELCOME & OPENING REMARKS 21/9/2016 TRANSPORT SYSTEMS CATAPULT Create an environment that will make the UK a World leader

416 views • 14 slides
EVP, Products & Strategy Strategy Session - MaaS Erez Dagan Mobility Market

EVP, Products & Strategy Strategy Session - MaaS Erez Dagan Mobility Market

EVP, Products & Strategy Strategy Session - MaaS Erez Dagan Mobility Market Inefficiencies & opportunity The Mobility Supply challenge Serve individual A-to-B-at-T demand instances, while minimizing latencies , costs and

610 views • 21 slides
TravelSpirit and the Open Internet of Mobility Open internet of mobility Call SmartCard

TravelSpirit and the Open Internet of Mobility Open internet of mobility Call SmartCard

TravelSpirit and the Open Internet of Mobility Open internet of mobility Call SmartCard Contactless App Data Payment MaaS Journey Platform Operator Planner aggregator facilitator Service planner Open data feeds Platform

339 views • 7 slides
MaaS and the Effect of AVs on People, Place and Policy Daniel Peterson, PE, PTOE, PTP Autonomous

MaaS and the Effect of AVs on People, Place and Policy Daniel Peterson, PE, PTOE, PTP Autonomous

MaaS and the Effect of AVs on People, Place and Policy Daniel Peterson, PE, PTOE, PTP Autonomous Vehicles 2 | URTC Transportation Technology Symposium November 15, 2016 Mobility as a Service 3 | URTC Transportation Technology Symposium November

595 views • 20 slides
Maas Energy Works, Inc. Renewable Energy that Works Daryl Maas Chief Executive Officer

Maas Energy Works, Inc. Renewable Energy that Works Daryl Maas Chief Executive Officer

Maas Energy Works, Inc. Renewable Energy that Works Daryl Maas Chief Executive Officer Maas Energy Works Digester Projects California Sites Washington & Oregon Sites Why are we here? Maas aas Ene Energy Works s Verified d

454 views • 17 slides
GETTING SMART ER ON ENERGY & MOBILITY REUBEN SARKAR Department of Energy June 2 nd , 2016

GETTING SMART ER ON ENERGY & MOBILITY REUBEN SARKAR Department of Energy June 2 nd , 2016

GETTING SMART ER ON ENERGY & MOBILITY REUBEN SARKAR Department of Energy June 2 nd , 2016 THE OPPORTUNITY AND PROBLEM . Massive wave of changes hitting our transportation system Megatrends Shared Mobility MaaS GPS/Map Services

394 views • 12 slides
Introducing Scala in Java territory Peter Maas 2011-Q4 eBay Inc. confidential Peter Maas

Introducing Scala in Java territory Peter Maas 2011-Q4 eBay Inc. confidential Peter Maas

Introducing Scala in Java territory Peter Maas 2011-Q4 eBay Inc. confidential Peter Maas Team lead at eBay Classifieds Group working on B2C portfolio for Marktplaats & DBA Clicks / PageViews / Money Interested in programming

635 views • 27 slides
JOINT UTILITIES RENEWABLE GAS INTERCONNECTION AGREEMENTS Maas Energy Works Comments Daryl

JOINT UTILITIES RENEWABLE GAS INTERCONNECTION AGREEMENTS Maas Energy Works Comments Daryl

JOINT UTILITIES RENEWABLE GAS INTERCONNECTION AGREEMENTS Maas Energy Works Comments Daryl Maas CEO Maas Energy Works May 14, 2020 The California dairy biogas industry is growing, while at the same time shifting to biomethane vs

404 views • 7 slides
Autonomous Personal Mobility Scooter for Multi-Class Mobility-on-Demand Service Hans Andersen 1 ,

Autonomous Personal Mobility Scooter for Multi-Class Mobility-on-Demand Service Hans Andersen 1 ,

Introduction Conclusion Autonomous Personal Mobility Scooter for Multi-Class Mobility-on-Demand Service Hans Andersen 1 , You Hong Eng 2 , Wei Kang Leong 2 , Chen Zhang 2 , Hai Xun Kong 2 , Scott Pendleton 1 , Marcelo H. Ang Jr 1 , and Daniela

412 views • 20 slides
The Tale of Two Streaming APIs Gerard Maas Senior SW Engineer, Lightbend, Inc. Gerard Maas

The Tale of Two Streaming APIs Gerard Maas Senior SW Engineer, Lightbend, Inc. Gerard Maas

Processing Fast Data with Apache Spark: The Tale of Two Streaming APIs Gerard Maas Senior SW Engineer, Lightbend, Inc. Gerard Maas Seor SW Engineer @maasg https://github.com/maasg https://www.linkedin.com/ in/gerardmaas/

933 views • 54 slides
DAY 2 MOBILITY MOBILITY SERVICES, MANAGED On Day 1 you signed a new carrier agreement, now what?

DAY 2 MOBILITY MOBILITY SERVICES, MANAGED On Day 1 you signed a new carrier agreement, now what?

DAY 2 MOBILITY MOBILITY SERVICES, MANAGED On Day 1 you signed a new carrier agreement, now what? Day 2 Mobility transforms the management of your mobile devices by offering a fully Managed Mobility Service solution. Our integrated mobile asset

646 views • 27 slides
Testbed for Multi-access Edge Computing V2X applications prototyping and evaluation Bilel CHERIF,

Testbed for Multi-access Edge Computing V2X applications prototyping and evaluation Bilel CHERIF,

Testbed for Multi-access Edge Computing V2X applications prototyping and evaluation Bilel CHERIF, Nicolas RIVIERE, Pascal BERTHOU, Yann LABIT SARA/TSF Team, LAAS-CNRS ERTS, January, 29th 2020 Laboratoire conventionn LAAS-CNRS avec

312 views • 20 slides
Android Michael Greifeneder Image source: Android homepage Inhalt Overwiew Hardware

Android Michael Greifeneder Image source: Android homepage Inhalt Overwiew Hardware

Android Michael Greifeneder Image source: Android homepage Inhalt Overwiew Hardware Software Development Tools Basics Debugging/Emulator Location Demo Android And Me Why I like Android Blend of Linux

1.01k views • 25 slides
A proof of concept for IEEE P1581 P1581 Demo Board discussion and demonstration Heiko Ehrenberg,

A proof of concept for IEEE P1581 P1581 Demo Board discussion and demonstration Heiko Ehrenberg,

A proof of concept for IEEE P1581 P1581 Demo Board discussion and demonstration Heiko Ehrenberg, GOEPEL Electronics IEEE P1581 WG chair 1 Objective Background Information on IEEE P1581 Introduction of P1581 Demo Board Compare Test

462 views • 14 slides
Graphics acceleration on Replicant David Ludovino (@dllud) Ricardo Cabrita (@GrimKriegor)

Graphics acceleration on Replicant David Ludovino (@dllud) Ricardo Cabrita (@GrimKriegor)

Graphics acceleration on Replicant David Ludovino (@dllud) Ricardo Cabrita (@GrimKriegor) NLnet - NGI0 PET Fund Saturday 27 th July, 2019 with great support from Joonas Kylm al a (@Putti) 1 / 37 Motivation All supported devices

484 views • 37 slides
OpenVMS hypervised as-is artedi e.U. Agenda I so what is Hypervision ? and why is

OpenVMS hypervised as-is artedi e.U. Agenda I so what is Hypervision ? and why is

OpenVMS hypervised as-is artedi e.U. Agenda I so what is Hypervision ? and why is it needed/used ? Types of Hypervision why not OpenVMS ? Processor Architectures artedi e.U. Mai-16 2 Agenda - II what else is

660 views • 38 slides
New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques Allison Lewko Brent Waters Roots of Attribute-Based Encryption Moving beyond Public Key Encryption: CEO Manager 1 Manager 2 Bob

341 views • 19 slides
Analysis of the WinZip Encryption Method Paper by: Tadayoshi Kohno Presented by: Ken, Mike,

Analysis of the WinZip Encryption Method Paper by: Tadayoshi Kohno Presented by: Ken, Mike,

Analysis of the WinZip Encryption Method Paper by: Tadayoshi Kohno Presented by: Ken, Mike, Jeremy & Paul The popular compression utility for Microsoft Windows computers Easy-to-use AES encryption - Advanced Encryption version

492 views • 38 slides
Security and Performance Analysis of Encrypted NoSQL Databases M.W. Grim BSc., Abe Wiersma BSc.

Security and Performance Analysis of Encrypted NoSQL Databases M.W. Grim BSc., Abe Wiersma BSc.

Security and Performance Analysis of Encrypted NoSQL Databases M.W. Grim BSc., Abe Wiersma BSc. Supervisor: F. Turkmen PhD February 6, 2017 University of Amsterdam Introduction Problem Securely storing BigData on NoSQL database systems.

669 views • 48 slides

More recommend