Ajin Abraham

Application Security Engineer, Yodlee (India)

Shubham Bansal

Paper Title

Hacking Tizen: The OS of Everything

Abstract

Tizen is an operating system which is built to run on various kinds of devices. Tizen OS defines following profiles based on the devices types supported.

  1. Tizen IVI (in-vehicle infotainment)
  2. Tizen Mobile
  3. Tizen TV, and
  4. Tizen Wearable

Samsung's first Tizen-based devices are set to be launched in India in Nov 2014. This paper presents the research outcome on the security analysis of Tizen OS. The paper begins with a quick introduction to Tizen architecture which explains the various components of Tizen OS. This will be followed by Tizen's security model, where Application Sandboxing and Resource Access Control powered by Smack will be explained.

The vulnerabilities in Tizen identified during the research and responsibly disclosed to Tizen community will be discussed. This includes issues like Tizen WebKit2 Address spoofing and content injection, Buffer Overflows, Issues in Memory Protection like ASLR and DEP, Injecting SSL Certificate into Trusted Zone, (Shellshock) CVE-2014-6271 etc. Applications in Tizen can be written in HTML5/JS/CSS or natively using C/C++. Overview of pentesting Tizen application will be presented along with some of the issues impacting the security of Tizen application. There will be comparisons made to Android application, and how these security issues differ with Tizen.
For eg: Security issues with inter application communication with custom URL schemes or intent broadcasting in Android as opposed to using MessagePort API in Tizen. Issues with Webview & JavaScript Bridge in Android compared to how the web to native communication is handled with Tizen etc.
Tizen is late to enter into the market as compared to Android or iOS, which gives it the benefit of learning from the mistakes impacting the security of mobile OS, and fixing these issues right in the Security Architecture. To conclude, a verdict would be provided by the speaker on how much Tizen has achieved with regard to making this mobile OS a secure one.

Speaker Bio

Ajin Abraham is an Application Security Engineer for Yodlee. He is the founder of OWASP Xenotix XSS Exploit Framework Project. He is a strong supporter of Free & Open Information Security Education. His work could be found at http://opensecurity.in. His area of interest includes web app & stand-alone app security and coding tools. He has been invited to speak at multiple security conferences including ClubHack, NULLCON, OWASP AppSec AsiaPac 2013, BlackHat Europe 2013, Hackmiami 2013, Confidence 2013, BlackHat US 2013, ToorCon San diego, and Ground Zero Summit.

Copyright © 2017-18 | Nullcon India | International Security Conference | All Rights Reserved