OOBD Data Security

Indroduction

OOBD allows to create customer specific procedures, where confidential information could be included to change the module behaviour, like modify the settings.

​

As these confidential information should not become known to the public, it is important to protect these data against misuse.

​

​

​

OOBD Data Security

Data Security: What is possible?

OOBD runs mainly on Android. Android does not have hardware based crypto chips yet, so OOBD needs to rely on software based data security.

​

That means:

​

• By principle, Software based data security can only protect data against the access of unauthorised persons
• Software based data security can not protect data against the misuse of authorised persons

​

​

​

OOBD Data Security

What can unauthorized people do?

At any point in time, the data needs to be readable to the application to be used.

​

That means:

​

• The application must have the capability to read (decrypt) the data
• Everybody, who has the capability to debug the application, could follow the decryption process

​

​

​

OOBD Data Security

The 4- Phase Data Protection Concept

To make the unauthorized data access as difficulty as possible, OOBD is using four mechanisms in a chain to protect the data:

​

• Divide the data pool in user groups
• User specific data encryption
• Application specific data encryption
• Application program code obfuscation

​

​

​

OOBD Data Security

Phase 1: User Groups

The data pool is split into different user groups

​

That has the effects:

​

• any good or evil user can only use (or crack) the data of the user groups he's assigned to.
• All other data in different groups are unreadable for him, as they are encrypted with different keys

​

​

​

OOBD Data Security

Phase 2: User Specific Encryption

As next step, the data is encrypted with PGP with the single user personal key.

​

That has the effects:

​

• The complete PGP tool set can be used. PGP is worldwide well proven over decades and can be seen as secure.
• Only who owns the user key and knows the user pass-phrase could encrypt the data at all. For the rest of the world the data is unreadable
• as the user need to use personified decryption data, this will prevent him from giving this personal details to others

​

​

​

​

OOBD Data Security

Phase 3: Application Specific Encryption

As third step, the data is encrypted with PGP with the application specific key.

​

That has the effects:

​

• Also an authorized user can not read the data as such. Only his application, supplied with the users key and pass-phrase and the application specific key and pass-phrase can read the data.
• By choosing specific application pass-phrases, the application can be made branded, as application and data must fit together.

​

​

​

​

OOBD Data Security

Phase 4: Application Code Obfuscation

As said for Phase 3, the application decrypts the data by knowing the application specific pass-phrase. To stop an evil user to identify this pass-phrase and the encrypted data as such, the application code is obfuscated.

​

That means:

​

• Also by having all necessary details (key file and pass-phrase), the evil user still needs to have the advanced skills and technology to bring back the program code in an readable format and to understand the process.
• The quality of program obfuscation is mainly a matter of money. As more can be spend, as more secure the obfuscation is.

​

​

​

​

OOBD Data Security

Summary

When using 4- Phase Data Encryption, at least the following three conditions need to come together to get unauthorized access (limited to the data of the own groups)

​

​

Being "Evil"

Access to

pass-phrase

and

key file

Advanced

Debugging skills

and technology

Residual Risk