[FR] Breaking privacy in software par Maria Christofi

The need to store more and more data on mobile phones and/or IoT devices introduces new privacy and security issues. Malicious actors can target not only databases hosted by servers but also users phones or IoT devices which can lead to bigger data and privacy breaches.

Last improvements in technology include the wide use of big data techniques. According to engineers working in this domain, storage is now cheap enough to allow storing a big amount of the collected information, while computers are fast enough to analyze the received information (both in real time and later on).

Collected data may include exchanged information not considered as sensitive by its owner or personal data that should be protected. Personal data may be collected from applications/software, without even asking the consent of their owner, through several smart products such as drones (collecting information like location, daily paths, photos, habits), smart locks and IP cameras (collecting information like personal addresses, location of people in a given time etc.), smart meters (collecting information like the presence of people/number of people in a house/office etc.) or even smart cars (collecting information about personal accounts of the user, his location etc.) and many others.

Depending on the attackers’ goal and the nature of collected data, they can be used either for legitimate purposes or for malicious uses: recovering a credit card number can be used to proceed to several purchases on behalf of its legal owner or to be sold in the black market. In the same vein, location data (collected via a smart car or a smart watch) can be used as GPS data, for assurance purposes or to follow one's activities and gain access to other information concerning him. Thus, data need to be protected according to their use. Regulation is set up in order to frame the management of personal data. For example, GDPR is set lately in Europe to force the anonymization of personal data, while LOPPSI is a French legislation dealing with personal data and their management by the French police. This legislation requires additional software countermeasures to be taken into account from the companies in order to protect the privacy of their clients.

Nevertheless, when data is stored on a mobile phone or on an IoT device, a malicious actor who need to extract personal information has first to reverse engineer the corresponding software application and remove any (or part of the) protection set. Most of the smart products (if not all of them) come along with a mobile application. This may be seen as the weakest part of the ecosystem as, if not securely developed, it can grant remote access to attackers (Apvrille 2017), (Omer Shwartz 2017). Software protections applied may differ according to the criticality of manipulated information and the environment of the given product. In the IoT area, security is not by design, thus often few protection schemes are used, whereas in other applications with less size constraints, one can use protection techniques such as encryption/packing (Tom Brosch 2006), (Kevin A. Roundy 2013), code virtualization (Samuel T. King 2006) and anti-debugging or disassembly techniques (Ferrie 2011). Indeed, one way to protect users’ data is to transform them into a more ambiguous form in order not to be recognizable. Many techniques could be used in order to achieve this goal (Jasvir Nagra 2009).

Taking into account the selected technique, one can use a different (or adapted) methodology to try to completely remove these protections, rebuild the initial software or just gain access to information supposed to be protected. In fact, the goal is not only to protect users’ privacy, but also to break it when analyzing malicious software (in order to identify the author of the malware toward legal actions and to further protect ourselves).

In this talk, we will give a panorama of the different techniques that may be used to remove these protections, but also different methodologies that may be applied in order to safeguard users privacy. We will explore the different obfuscation, white-box cryptography (Muir 2012) and anti-reverse engineering techniques, as well as their limitations and how to break some of them. Moreover, we will discuss the limitations of such techniques and the new trend of using provably secure cryptographic scheme in order to protect privacy, or our malicious acts.

About Maria Christofi @mafach

Maria works as a security consultant in charge of cryptographic activities at Oppida. She holds a PhD from University of Versailles in applications of formal methods in cryptography and is currently working on security evaluation of different products by testing (amongst other properties) users' privacy.