/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsBANGALORE, INDIA:The proportion of mobile devices providing open platform functionality is expected to increase in future. The openness of these platforms offers significant opportunities to all parts of the mobile ecosystem, enabling flexible program and service delivery options that may be installed, removed or refreshed multiple times in line with user needs.
However, with openness comes the responsibility to stop unrestricted access of mobile resources and APIs to applications of unknown and untrusted origin. This can lead to a major security breach which may result in damage to a user's device, the network or all of these, if not managed by suitable security architecture and network precautions.
Interestingly, with the marketshare of mobile user equipment with open operating systems steadily shooting up, expectations are high. The openness here offers clear benefits to customers, device manufacturers, software developers and operators as it acts as a catalyst for the development of rich and compelling applications. However, these also pose challenges and risks which ultimately leads to the birth of more malicious applications which are likely to increase in number and complexity. Therefore, mobile application security is a key issue for the mobile industry.
It is provided in some form on most open mobile device OSes. Industry groups have also created recommendations including the GSM Association and Open Mobile Terminal Platform (OMTP) for this. There are over 4 billion devices in use worldwide. Moreover, mobile phones have become a proximity devices for the user, something which is always there on hand and convenient in use. This convenience has resulted in an explosion of mobile applications such as mobile banking, gaming, etc. All these applications require security, and as a result, mobile application security is gaining in importance.
Best practices in mobile security
The processes to be followed while designing security applications for mobiles, depend on organization concerned. Some use symmetric encryption like AES and 3DES, which are basically the same standards for mobile application security as for hardware based authentication devices. Some best practices which can be followed while designing mobile security applications are leveraging SSL, following secure programming practices, validating inputs, leveraging the Permissions Model used by the operating systems, using the Least Privilege Model for System Access, signing the application's code using encryptions, using Secure Mobile URLs and encouraging a safe browsing environment.
{#PageBreak#}
|
Learnings from mobile security providers |
|||
|
|
|
|
|
|
McAfee: It is very important to abide by certain norms while designing applications. But it depends on an organization, as to what development processes they are following to secure an application from hackers. And from the design perspective, it is very important to make users understand that installing unwanted and unauthorized applications are a complete no. Vinoo Thomas, Technical Product Manager. |
Vosco: One of the major challenges in securing apps is that there are a vast number of application stores that use different application standards, resulting in a variety of platforms. The industry today has not yet been capable of developing a standard for mobile applications. Jan Valcke, COO and President. |
Tech Mahindra: Mobile applications generally communicate with servers through SMSes, GPRS requests, etc. To perform mobile application security testing the essential elements are Mobile Information Device Profile (MIDP) and Money Manager Application. Suhas Desai, Security Consultant. |
Aquilonis: Biggest security concern is securing data. Architects should ensure that nobody infects their apps and that they are encrypted properly. One needs to make applications least vulnerable so that hackers are unable to hack them. Rahuldev Rajguru, Co-founder and CEO. |
Key challenges to security
A key challenge faced by the mobile application architects is to proactively protect mobile users from fraud and malicious applications. Another huge task is to ensure quality and accountability of mobile applications. Maintaining trust in mobile platforms (and avoiding similar problems in the Internet world), and securing the existing and future businesses of various enterprises is another huge job. Even operators must be protected from various costs originating from malicious applications. Other than all these facilitating certification processes to reduce barriers for developers and ensure consistency across different OS platforms and operators will perhaps be one of the major challenges always.
It has been noted that security threats are platform dependent. As some platforms are more vulnerable than the other, it is advisable that all applications on mobile devices are certified or signed to avoid decompilation. Hence it is extremely important to understand the robust architecture of mobiles and their security platforms.
Some of the major threats faced include:
- Communication Services: Malicious users may misuse/manipulate/redirect communication services like prepaid/postpaid charging which will directly cause financial loss.
- Eavesdropping: They may use eavesdropping techniques to intercept mobile communication services with electronic devices.
- Data Privacy Loss: They may use weak encrypted data of mobile applications and communication services for data stealing.
- Authentication: They may gain unauthorized access to mobile phone/applications/services due to weak authentication implementation.
{#PageBreak#}
Mobile security pillars
A single application can be hacked without compromising other applications or the system itself. For this, symmetric encryption is extremely useful, considering it does not use a single point of entry. It should also be kept in mind that federation is practical but it has its limitations when it comes to security. The pillars for mobile application security are:
-
App Store Security Assessment
-
Mobile Device Application Security Assessment
-
Server component Security Assessment
-
SIM Card Application Security Assessment.
These points should always be kept in mind while architecting applications as these are places where data compromise happens because of security breaches.
Mobile applications generally communicate with servers through SMSes, GPRS signals, etc. Hence to perform mobile application security testing the essential elements are MIDP and Money Manager Application.
It has been observed that SIM cards which have DSTK and USSD, play a major role in communication services because it generally allows the integrator to have a secure communications channel.
Creating the test environment
Mobile application security testing can be broadly categorized under two sections: mobile application security testing; and mobile SIM card application security testing. Mobile applications generally communicate with the servers through SMSs, GPRSs. Hence to perform mobile application security testing the essential elements are Mobile Information Device Profile (MIDP) and Money Manager Application. MIDP is a set of Java APIs and a generic J2ME emulator and while the later is a money manager sample application written in J2ME and can be installed on MIDP emulator. But the limitation of MIDP is that it does not support SMS communication to server, hence SMS traffic interception is just not possible.
Possible security tests which can be conducted are authentication tests, tests of input validation, session management, encryption ones and finally SQL injection tests. It is also essential to create an environment to conduct tests. For mobile SIM card application tests, essentials are SIM card reader/writer, and SIM card communications software.