Threats to mobile security are becoming varied and stronger. Managing mobile security is a big challenge for a number of reasons. Traditional IT security and mobile security are different propositions to a great extent. That is why the approach to mobile security needs to be different. A number of strategies are being implemented, including dual OS, remote wiping, secure browsing and app lifecycle management. While enterprises are working on improving security practices, awareness needs to grow at the individual level as well. (For the latest on mobile technology, see Mobile Technology: Top Twitter Influencers to Follow.)
Implementing Secure OS Architecture
Implementation of a secure OS architecture has already begun with iPhones and the latest Samsung Galaxy Android smartphones implementing the feature. The iPhone and the Samsung Galaxy smartphones have two OSs: one OS is known as the application OS and the other is a smaller and more secure OS. The application OS is where smartphone users download and run their apps, while the second OS is used to handle keychain and cryptographic functions as well as other high-security tasks.
According to a white paper on Apple’s secure mobile OS, “The Secure Enclave is a coprocessor fabricated in the Apple A7 or later A-series processor. It utilizes its own secure boot and personalized software update separate from the application processor.”
So, the secure OS communicates with the application OS over a shared, and probably unencrypted, memory space and a single mailbox. The application OS is not allowed to access the main memory of the secure OS. Certain devices such as the touch ID sensor communicate with the secure OS over an encrypted channel. Samsung Galaxy smartphones use the TrustZone-based Integrity Measurement Architecture (TIMA) to verify the Android OS’ integrity.
Since a large number of financial transactions happen over mobile devices, the dual OS system could be extremely handy. For example, in the case of a credit card transaction, the secure OS will handle and pass the credit card data in an encrypted format. The application OS cannot even decrypt it.
Introducing Encryption and Authentication
Encryption and authentication have been implemented in smartphones to some degree already, but these steps are not enough. Recently, different concepts have been implemented to make encryption and authentication more robust. One such concept is containers. Simply put, containers are third-party applications that isolate and secure a certain portion of a smartphone’s storage. It is like a high-security zone. The goal is to prevent intruders, malware, system resources or other applications from accessing the application or its sensitive data.
Containers are available on all popular mobile OSs: Android, Windows, iOS and BlackBerry. Samsung offers Knox, and VMware provides containers for Android from the Horizon Mobile technology. Containers are available both for personal use and at the enterprise level.
Another way of encrypting mobile devices is to introduce compulsory encryption. Google is doing that with Android Marshmallow, and all devices that run Marshmallow are required to make use of full-disk encryption out of the box. Although earlier Android OS versions allowed one to enable encryption, i.e. since Android 3.0, the option had two limitations: one, it was an optional task (only Nexus devices were shipped with encryption already enabled) so users did not usually enable it, and two, enabling encryption was a bit too technical for many typical users.
Implementing Network Security and Secure Browsing
From the mobile device user’s point of view, there are a number of ways to browse securely:
- Do not modify the default browser settings in Android, iOS or Windows devices because the default settings are already providing good security.
- Do not log into unencrypted public wireless networks. People with bad intentions can also log into them. Sometimes, malicious people can set up an open network and set a trap for unsuspecting users. An iPhone or Android VPN can provide some security here, however.
- Try to use wireless networks that are secured. Such networks need a password or other authentication to allow access.
- Whenever you access a website where you are going to share personal or confidential information, such as your bank account details, make sure that the URL begins with HTTPS. This means that all data transmitted through this website is encrypted.
While secure browsing is required, it is at best the second step to securing mobile devices. The foundation is always network security. Mobile device security should begin with a multi-layered approach such as VPN, IPS, firewall and application control. Next-generation firewalls and unified threat management help IT administrators to monitor the flow of data and the behavior of users and devices while connected to a network.
Implementing Remote Wipe
Remote wipe is the practice of wiping out data from a mobile device via a remote location. This is done to make sure that confidential data does not fall into unauthorized hands. Normally, remote wipe is used in the following situations:
- The device is lost or stolen.
- The device is with an employee who is no longer with the organization.
- The device contains malware which can access confidential data.
Fibrelink Communications, a mobile device management company, remotely wiped 51,000 devices in 2013 and 81,000 devices in the first half of 2014.
However, since mobile device owners do not want anyone or anything else to access their personal devices, remote wiping may face a limitation. Owners are also rather lethargic when it comes to security. (To learn more on personal device use in business, see The 3 Key Components of BYOD Security.)
To overcome these problems, enterprises could create containers in mobile devices which will contain only confidential data. Remote wiping will be exercised only on the container and not on data outside the container. Employees need to feel confident that remote wiping is not going to affect their personal data. Enterprises can track the usage of the mobile device. If the device is not being used for a long time, chances are that it has been lost or stolen. In such a case, the remote wipe should be immediately deployed so that all confidential data is wiped out.
App Lifecycle Management and Data Sharing
Application lifecycle management (ALM) is the practice of supervising a software application from its primary and initial planning through to the time when the software is retired. The practice also means that changes to the application during the entire lifecycle are documented and the changes can be tracked. Obviously, security of the apps is of primary consideration before any app is made commercially available. It is extremely important to document and track how the security features of the app have evolved over time based on experience and feedback and how it has solved the problems of mobile device security. Depending on how well the security elements are incorporated in the apps, the retirement time for an app or its version is determined.
While remote wiping and secure browsing are good practices to follow, the most critical practices for ensuring mobile security are network security, OS architecture security and app life cycle management. These are the foundation pillars based on which a mobile device can be judged as secure or relatively unsecure. Over time, these practices must be enhanced as the usage of mobile devices for financial and enterprise transactions grow exponentially. Naturally, that will involve a lot of data being transmitted. The dual OS system followed by Apple seems to be a good case study of how to internally strengthen a mobile device and can be a model for future developments.