Using Smart Cards to Mitigate Security Threats on Mobile Devices

Abstract

This master thesis developed and tested the idea that smart cards are able to help mitigate security threats on mobile devices that are handling sensitive data. Investigating the limitations of smart cards is a fundamental part of the idea and we performed in-depth testing and analysis of what smart cards are capable of. Our study shows that smart cards are limited by their low processing power, low amount of memory and a severely lacking application programming language. These limitations affect smart cards usefulness concerning cryptography and data processing. Additionally, lack of standard support for smart cards in modern mobile operating systems is a limitation we investigate and propose solutions for. Despite these limitations, smart cards can still be a useful asset as they offer a secure execution environment and are tamper resistant. Viable use cases include secure key generation, management and storage, digital signing, encryption, strong authentication and the possibility to run small specialized applets securely. More complex use cases are also possible, but require additional external components and infrastructure to be realized. For instance, a smart card could be used as a simple policy enforcement point, given that we had a trusted third party available, and a functioning public key infrastructure in place. We were able to construct an Android library and a smart card applet for secure communication, but there still remains research on the topic. Not all functionality were implemented due to time constraints and technical issues, but the framework foundations are in place so that extensions can be quickly and easily implemented. Future work may include full scale testing of our framework, additional development and testing on more technological advanced smart cards.