YOU ARE AT:Chips - SemiconductorSecurity threats mount with smart phone adoption

Security threats mount with smart phone adoption

Editor’s Note: This article originally appeared in our September Special Edition, Behind the Scenes, a focus on integrated subscriber and network management systems. To download the complete Special Edition, click here.

In an increasingly mobile world, securing data on the go has become more crucial than ever, as well as more challenging, not least because enterprise IT departments are having to relinquish a certain amount of control over the data flowing in and out via company employees.
User privacy has also come under the spotlight most recently in the case of Canadian phone manufacturer Research In Motion Ltd., with several countries including India, Saudi Arabia, the United Arab Emirates, Indonesia and Lebanon threatening to ban BlackBerry services if not granted access to unencrypted user data.
RIM thus far has refused, saying it cannot and will not violate user privacy, but the issue doesn’t seem to be going away, and leaves uncomfortable questions about whether data from other phones is actually secure if governments aren’t demanding bans on devices from Nokia Corp. or Apple Inc., or those powered by Google Inc.’s Android operating system.
John Herrema, VP of marketing and chief marketing officer of Good Technology, a mobile device management and security products firm that licenses its encryption technology to RIM, said mobile security had become critical, and was even more important today due to the explosion of smartphone devices based on platforms like Apple’s iOS4 and Google’s Android Oses.
After all, these devices increasingly are being used for business and personal applications that demand the highest levels of security – e.g., corporate messaging and Intranet access, as well as personal finance and banking activities.
Herrema reminded RCR Wireless News of the famous reply by Will Sutton when asked “Why do you rob banks?” Namely, “Because that’s where the money is!” It’s no different for hackers and others looking to exploit computing security, said Herrema, adding that today’s cyber criminals increasingly are turning their attentions to mobile computing platforms because that’s where the end users are going.
What steps, therefore, can people take to ensure their privacy is maintained on a mobile device, and that their communications are secure and private?
According to Herrema, one of the most important steps users can take is to not purposely jailbreak or “root” their own device. “They are really exposing themselves when they do that,” he said, adding that sticking to official software was “by far the easiest thing a user can do to limit their exposure.”
Users, he said, should also take the time to read the notices and warnings that pop up when installing apps. Most mobile platforms will notify the user if an app is requesting access to potentially sensitive information such as their location, or access to their address book data, so privacyconscious users can choose whether to allow such access.
Additionally, noted Herrema, users should be careful to never include socialsecurity numbers, PIN numbers, creditcard numbers or other similar data in address book or calendar entries.
“There are legitimate reasons why an app might request access to phone number or e-mail address data, but users should be very selective about this and be sure they’re not exposing other highly sensitive data when doing so,” he explained.
Herrema said there isn’t much reason to take extra precautions to protect their mobile data and privacy, for instance, locking down the phone’s hardware components.
“Not all software is equally exploitable,” he reassured, noting that many of Good’s customers had hired third-party security firms to try their hand at “hacking” the Good for Enterprise encryption with no success.
This, he said, was “one of the many reasons” why Good customers such as the Army, Intel Corp., and Union Bank – to name but a few – use Good for Enterprise to secure and manage their mobile deployments.
Even with GPS, accelerometers and a whole host of other components in contemporary smart phones, Herrema maintains that unless a device is jailbroken or rooted, platforms like Apple’s iOS4 and Google’s Android require apps to “ask permission” to expose such potentially sensitive information. It is recommended, however, that users frequently go through the various permission settings on their applications to ensure everything is as it should be.
Is the onus of security, then, on the mobile user alone, or does some obligation fall to the operator, app developers and OS providers themselves?
Herrema argued that it is actually more of a shared responsibility among all of the aforementioned players, but especially the OS provider and the app developers.
“At Good we take great pride in ensuring that our applications are as absolutely secure as they can be and that we have successfully conducted extensive penetration and security testing procedures by multiple experts in the field. However, users play a very important role, too,” he said, adding, “If a user chooses to expose location or other sensitive personal information to a particular application, then there is not much that the OS provider can do about that!”
Security really going mobile
Most people today consider privacy worthy of a price tag premium, especially for best-in-class protection, but Herrema told RCR Wireless News users can and should expect a reasonable level of security and privacy as a “given” in the mobile devices and applications they purchase.
Of course, just like in the PC world, that doesn’t negate a legitimate market for premium anti-virus, encryption, or other security technologies that provide enhanced protection.
Hackers have started to turn their attention to mobile platforms, and antivirus firms like McAfee Inc. and Symantec Corp. have begun to pay serious attention to developing security offerings for mobile devices.
Many analysts believe this to be the driving factor in Intel’s recent acquisition of McAfee for the staggering sum of $8 billion, with In-Stat’s Jim McGregor saying: “Intel can use this technology not only for optimizing hardware solutions for Pcs, but also for the other markets they are hoping to penetrate with Atom SoCs (system on a chip).”
Mobile consumer electronic devices, noted McGregor, are really only just coming into this world of threats, especially as they become computing devices that consumers use in conjunction or instead of their PC.
“The PC environment has grown up around this environment, the CE devices, like smart phones, have not. So security has and will be a growing concern as all these devices get connected to the Internet,” he said.
Analyst Jack Gold concurs with McGregor’s views and added that while McAfee was expensive for Intel to acquire, it is a profitable company that also offers the firm a key advantage over the competition (ARM) when it comes to more complex and Internet connected devices, like tablets and higher-end devices.
“Intel is expanding its level of security enablement for business users, and ultimately for consumers as well, across the entire spectrum of devices including mobile,” explained Gold, noting that by building more security features obtained from McAfee back into the lower level systems functions, all users will ultimately benefit from more secure and manageable systems across many operating systems and device types.
“This will give Intel a competitive advantage as security becomes a key decision criteria in creating new devices and Oses,” he asserted.
In fact,
Intel will also have the ability to “tune” the security
capabilities of McAfee’s products to run faster/better on Intel hardware platforms and to provide chiplevel optimization “hooks,” giving Intel the ability to couple optimized software and hardware capabilities, including the optimization for Atom devices.
Even on an OS level, with McAfee concentrating on Intel and Nokia’s MeeGo, the firm could gain a competitive edge against other Oses in the telco space.
“Still, Intel has to enable enhanced security protection for all of the various OS platforms to fully expand its chip market,” emphasized Gold, adding that this was especially critical for Atom, which is directly targeted at the device marketplace.
Enterprise mobile security adoption remains great
In terms of mobile privacy and security trends, however, enterprise mobile security adoption remains among the most important, especially in terms of an overall “enterprise mobility platform” strategy that starts with secure messaging and device management, expands to collaboration, and ultimately allows the enterprise to consistently and securely develop, deploy and manage multiple applications, across multiple mobile platforms.
“It is always less expensive and less disruptive for a company to install mobile data protection tools than to deal with a data exposure incident,” says Gartner Inc.’s John Girard.
Mobile device encryption is becoming a universal expectation, which is perhaps why the whole RIM affair and proposed bans on BlackBerry service are so disconcerting to many businesses operating in the Middle East and India.
As mentioned above, the United Arab Emirates and Saudi Arabia have threatened to block BlackBerry e-mail, messaging and web browsing services, which may force corporations to seek new e-mail solutions.
“It’s probably too soon to consider a migration from RIM for affected enterprises, but if this eventually becomes necessary, organizations should consider a multiplatform solution from an enterprise e-mail provider like Good or Sybase,” said Nick Jones from Gartner.
Speaking on behalf of Good, whose supposedly unbreakable encryption technology BlackBerry licenses, Herrema said that while he wouldn’t comment specifically on RIM, what he could say is that Good itself doesn’t store any end user data in its systems and interconnects with “on-premises” platforms like Exchange and Domino that are already accessible to “legitimate authorities,” which the firm says should be of no issue to customers.
“The RIM issue comes more down to having the information stored within the country’s borders than access to the information,” adds In-Stat analyst McGregor. “In other words, if the governments need access, they want it available within the country.”
“I think most democracies understand that there is a fine line between security for the government (tapping into messages) and security for the users (being able to encrypt messages),” opined Gold, adding that he would not be surprised if the National Security Agency already possessed ways to break AES encryption if necessary, but that this was not necessarily the case for other countries’ security agencies.
With other phones where e-mail is not encrypted, however, it becomes relatively easy for the government or any nefarious entity to monitor data traffic from a user’s device.
“That’s why the early iPhones and now Androids are such a problem for companies who want secure communications. If these countries [Saudi Arabia, India etc.] are not banning other devices, it tells you something about how loose the phones’ security is,” he warned.
Does this mean, then, that mobile security firms like Good are destined to butt heads with government authorities going forward?
“I don’t think so,” said Herrema, because protecting the user’s privacy and the security of apps and data from those with malicious intent is ultimately compatible with legitimate law enforcement and national security interests.“Because in Good’s case, we don’t see an inherent conflict between what we do to ensure mobile security for our customers, and what government authorities must do to ensure that national security and law enforcement interests are met.”
Legitimate governments and law enforcement agencies already have well-established procedures and processes for obtaining access to mobile voice and/or data communications when justified for national security or law enforcement purposes and most people in the Western world are comfortable enough with that.
Who to trust with your security
“It’s more of a philosophical question,” said Oliver Graves of Motricity. Namely, “do you trust your government with your personal information in return for a greater sense of security?”
There is also a question, however, of which entity is going to be the most trusted when it comes to our private data, and Graves believes for most, this role falls back on the mobile operator because of the economic relationship they have with subscribers.
“Subscribers don’t pay RIM. So the argument is between RIM and governments.If an operator were to step in and say given our agreement with subscribers, we will guarantee privacy and access to the data, we believe that will have more credibility with the consumer,” he said.
On a personal note, Graves added that he was more than happy to give access to his personal mobile data for the greater good of security as long as he could be guaranteed it would never be used against him.
McGregor agreed. “Is there ever a justification for accessing mobile data? Absolutely.Just think of the growing terrorist and cyber threats around the world,” he insisted.
“Could this information be misused? Yes, but hopefully governments use this information and access wisely.”
For Herrema, it’s not governments accessing mobile data which concerns him, but rather “the tsunami of mobile apps developed by the companies that have a very limited understanding and considerations for data privacy and confidentiality,” – specifically what type of information is collected by these apps and how the collected data is used and retained.
“That is worrisome,” he confided in RCR Wireless News.
However, cross-latform app store GetJar doesn’t necessarily agree with Herrema on this last point.
“Every decent developer includes a privacy statement where all the guarantees are provided,” Ilja Laurs, CEO of GetJar, said. Ultimately, however, he said the same trust model applies to apps as to websites.
“How do you choose whom to trust on the web, whom to entrust your personal data to? The answer is simple, the one which has a good reputation.”
A good reputation, says Laurs, is hard to gain and impossible to trick, both online and offline, PC or mobile. “Apps are not different,” he says.
GetJar, says Laurs, believes in the open Internet-like model. “To launch a website, you need no certification, approval, testing, etc. This is why the Internet exploded into what it is today. Security is handled on a scalable trust model, not using formal approval/certification, as apps are today.”
Going a step further, Laurs also posited that mandatory testing or certification of apps would “kill innovation” as 80% of app developers are one-man shows without the resources available.
“Just consider what happens if you ask these out-of-bedroom developers to run $50,000 certification and testing across 250+ devices (a typical requirement) on their hangman-like games and you know the answer. Even for large companies such as Google or Yahoo, all these certification requirements are a pain; for smaller developers it’s simply a non-
starter,” he said.
According to the GetJar CEO, the reality
is users have to always expect the data they provide may become available to third parties, therefore users should provide only the minimum necessary details to any app/service.
“Again, you’re minimizing the risk by using apps by established brands that have a strong reputation, but you cannot eliminate the risks completely,” he concluded.

ABOUT AUTHOR