Applying Smart Cards for Security Critical Mobile Applications

Insufficient security and privacy level of mobile devices result in a difficulty to utilize security critical systems, such as mobile banking, mobile credit cards, mobile ticketing, or mobile passports. Unauthorized access or data manipulation by third parties (e.g. malicious application or an adversary with physical access to a device) presents a major security threat for these apps. In recent years, many service providers have attempted to address and solve these security challenges by shifting the main operations and therefore the main trust to backend server systems. While such an approach can help to solve issues of untrustworthy mobile devices, it also raises new security as well as privacy concerns (e.g. central single point of failure, is data protected well and not passed on to third parties, etc.). Solving these challenges by increasing the security and therefore the trust to mobile devices could result in better mobility and a higher level of confidence in security critical applications for end-users as well as service providers.

In this dissertation, multiple solutions are presented that improve the security of mobile platforms by making use of tamper resistant hardware on mobile devices. In particular, we use smart cards, a technology which has already been used by many security critical applications (e.g. bank cards, passports, access cards, credit cards, etc.). We present the vision of an open ecosystem for mobile applications to make use of this dedicated hardware in order to protect any kind of sensitive data. Limitations and challenges of such an integration are addressed with solutions to overcome them. In addition, we introduce new techniques that build their trust upon smart cards on mobile devices and help to increase the security of the whole platform as well as applications running on them.

As an example of a mobile application with high security demands, we also introduce a novel eID scheme. Our system has a special focus on protecting the privacy of eID holders and can be used as a regular ID card to digitally authenticate users to another physical person in the real world. Consequently, with the presented scheme, we also demonstrate the practicability of using smart cards on mobile devices to increase security of mobile applications without degrading usability.