Kenneth Van Wyk: We need more secure mobile devices
As things stand now, all bets are off if you lose your smartphone
Computerworld - When you combine the words "mobile device" and "security," you get an oxymoron. That's the state of security in the mobile world, and it's been that way since day one.
That has to change. Smartphones and tablets are increasingly doing heavy lifting in the corporate world, and are ever more likely to be repositories of sensitive data. But where do we start in making them more secure?
For now, forget about malware and sophisticated hacking. We first need to close the most gaping hole of all for mobile devices, one that every expert I have talked to over the years has agreed on: If a bad guy gets physical access to a mobile device, all bets are off. A few months ago, the folks at the OWASP Mobile Security Project backed up this assessment. They did a threat modeling exercise of mobile devices and determined that two of the most glaring issues are the loss or theft of the device and insecure communications.
A basic problem is that anyone who gets his hands on someone else's smartphone can access the user's login credentials with ridiculous ease. Mobile apps contribute to this problem. I myself have realized that some of the mobile apps that I use store login credentials and other sensitive data where they shouldn't be, and in the last month or so, I've read about numerous cases of such iOS app weaknesses. Using nothing more than a USB cable, an attacker can in many cases get to login and/or session credentials for many high-profile apps, on both iOS and Android platforms.
That's unacceptable, and we've got to demand better from our app vendors.
For starters, mobile app developers must keep in mind when writing their software that devices can easily be lost or stolen -- and recognize that a lost device shouldn't be a free ticket to valuable data. Most modern mobile platforms provide mechanisms for reasonably protecting things like user login credentials. These mechanisms are generally called keychains. Current versions of both Android and iOS have keychain APIs that app developers can and should be using. While not perfect, they do provide significant protection over simply storing usernames and passwords -- even when hashed -- in plaintext files (e.g., plist or properties files).
Second, other user data on mobile devices should be encrypted. This is something that users have to do themselves, but Android and iOS both provide mechanisms for doing that reasonably securely, and third-party add-ons like SQLcipher for AES encrypting SQLite databases are even better. If you look for strong mobile encryption mechanisms, you can find them.
More by Kenneth van Wyk
- Kenneth van Wyk: Where mobile apps go wrong
- Kenneth van Wyk: Apple's big fail
- Kenneth van Wyk: After Snowden
- Kenneth van Wyk: Target breach underscores how backward U.S. payment tech is
- Kenneth van Wyk: Enjoy your trip, but protect the data you take with you
- Kenneth van Wyk: Lingering faults with security by default
- Kenneth van Wyk: High hopes for iPhone's Touch ID
- Kenneth van Wyk: Why mobile apps beat Web apps for privacy
- Bug bounties: Bad dog! Have a treat!
- How to avoid Big Brother's gaze
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts