Securing mobile devices
Some enterprises and developers take extremist views when it comes to mobile security. At the one extreme, they put all their trust in the mobile operating system, while at the other, they refuse to make the move towards mobile devices because they are deemed not secure.
This is according to Christiann Barnaard, CTO at Entersect, who argues for a middle ground between the two approaches.
Speaking at the ITWeb Security Summit yesterday, Barnaard highlighted some of the factors that can open mobile devices up to malicious attacks and argued for methods to better secure these devices against attacks.
Compromised operating systems are one of the biggest mobile security threats, according to Barnaard. Examples include jail-broken iOS devices, or rooted devices in the case of Android operating systems.
Jail-broken iOS devices are able to run applications that have not been approved by Apple. In 2010, roughly four million iOS devices were jail-broken, accounting for 8% of the devices.
With Android, which lets users run any application, rooting the devices breaks the segregation between different applications that run on these devices. Each application is supposed to just have access to its own data store, while rooting these devices opens the operating system so that applications can get access to each other's data.
According to Barnaard, there are two ways to address the case of compromised operating systems. He says the best way is for developers to write applications that refuse to run on devices that have been jail-broken or rooted, while the second best option is to prompt users, letting them know the operating system has been compromised.
Barnaard says this allows users to take appropriate action to secure their devices. However, he warned that there are rising instances of malware penetrating devices that have not been compromised by jail-breaking or rooting.
Apart from malware, scenarios that open a mobile device up to criminals include fraudulent SIM swaps and collusion at the mobile operator level.
In instances of fraudulent SIM swaps, Barnaard says criminals can take a falsified ID document to a representative of the carrier or the mobile operator and pretend to be a user who lost their SIM card.
Barnaard warns that in instances where the network operator hands over the mobile number to the fraudster, they will have access to all the calls and SMSes coming in on the number, including OTPs (one-time passwords) sent by banks to secure online banking.
About three years ago, a mobile operator was at the centre of a banking scam, Barnaard says. In this case, someone sitting at the mobile operator level diverted SMS OTPs to another phone. Barnaard points out that technicians working at the operator level typically have the option to do this.
For this reason, Barnaard argues that mobile identity should not be a function of the mobile operator. Instead, he proposes that this function be performed by the relying party - the bank or enterprise.
According to Barnaard, this can take the form of a signature or digital certificate that is stored on the device, which would be used to validate the identity of the user to the bank or enterprise.
Barnaard stressed that in this case, the security of the storage on the device would have to be assured by cryptography - a method of protecting information by means of encryption. He adds that in addition to this digital certificate, users could have a password to further secure communication between the device and the bank or enterprise.